Analysis
-
max time kernel
39s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
-
Size
952KB
-
MD5
bd0b66050d49b213e682c9f3dbddd4f4
-
SHA1
3e6dc7c446dc88cd3b9aa237c8d4836bff134a18
-
SHA256
36f7aefe30f8fdda2c6a568efa39ed27bd09956fc7123a034285cf8e5f0d91a7
-
SHA512
7d0b3e9d573564d7d937b9ec83f21682a692c5ddb3797b155866b7620ecfebd6d2e444ab6d5a3f17b0d15a2db6af11f84aedfc93671c68d239cd2236c3b75ffa
-
SSDEEP
12288:7maNhOPnxBnHkapLjTn/rhlUy1WZyDYilDLvxtJzzxHs0oPYJaf4DbC:7CBnHZpLHrtW8nvzKT+u
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe -
Pykspa family
-
UAC bypass 3 TTPs 25 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00040000000230c0-3.dat family_pykspa behavioral1/files/0x00100000000004ec-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 55 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "rduscxoecruqfeqsac.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "rduscxoecruqfeqsac.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "blawexmawjkeroyy.exe" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "pdwwifyqqhmkbcqueilz.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "pdwwifyqqhmkbcqueilz.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "itjgpjzolzbwkitub.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\edhsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rtaoozgm = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation etnobztmnflkcetyjoshb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation bqyqvqrmlai.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation itjgpjzolzbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation pdwwifyqqhmkbcqueilz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation blawexmawjkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation cphgrnfwvlpmccpsbeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation rduscxoecruqfeqsac.exe -
Executes dropped EXE 64 IoCs
pid Process 1120 bqyqvqrmlai.exe 4580 rduscxoecruqfeqsac.exe 4912 blawexmawjkeroyy.exe 4836 cphgrnfwvlpmccpsbeg.exe 3008 itjgpjzolzbwkitub.exe 4840 pdwwifyqqhmkbcqueilz.exe 5036 pdwwifyqqhmkbcqueilz.exe 5988 bqyqvqrmlai.exe 3312 bqyqvqrmlai.exe 6104 rduscxoecruqfeqsac.exe 5144 bqyqvqrmlai.exe 5976 etnobztmnflkcetyjoshb.exe 2436 bqyqvqrmlai.exe 1332 edhsp.exe 5432 edhsp.exe 1220 rduscxoecruqfeqsac.exe 4104 blawexmawjkeroyy.exe 5852 blawexmawjkeroyy.exe 840 itjgpjzolzbwkitub.exe 4548 bqyqvqrmlai.exe 4580 bqyqvqrmlai.exe 3648 cphgrnfwvlpmccpsbeg.exe 5232 cphgrnfwvlpmccpsbeg.exe 5848 blawexmawjkeroyy.exe 3168 rduscxoecruqfeqsac.exe 5420 etnobztmnflkcetyjoshb.exe 4852 cphgrnfwvlpmccpsbeg.exe 1584 cphgrnfwvlpmccpsbeg.exe 4052 rduscxoecruqfeqsac.exe 5036 pdwwifyqqhmkbcqueilz.exe 4712 pdwwifyqqhmkbcqueilz.exe 5756 rduscxoecruqfeqsac.exe 3616 blawexmawjkeroyy.exe 3712 bqyqvqrmlai.exe 548 bqyqvqrmlai.exe 2100 bqyqvqrmlai.exe 892 bqyqvqrmlai.exe 5684 bqyqvqrmlai.exe 4056 rduscxoecruqfeqsac.exe 1816 rduscxoecruqfeqsac.exe 2628 bqyqvqrmlai.exe 5544 rduscxoecruqfeqsac.exe 2856 blawexmawjkeroyy.exe 4104 bqyqvqrmlai.exe 2552 cphgrnfwvlpmccpsbeg.exe 4528 cphgrnfwvlpmccpsbeg.exe 5520 etnobztmnflkcetyjoshb.exe 4304 bqyqvqrmlai.exe 2400 blawexmawjkeroyy.exe 1280 bqyqvqrmlai.exe 4256 bqyqvqrmlai.exe 4428 rduscxoecruqfeqsac.exe 5052 blawexmawjkeroyy.exe 5140 bqyqvqrmlai.exe 4724 cphgrnfwvlpmccpsbeg.exe 5756 rduscxoecruqfeqsac.exe 4664 rduscxoecruqfeqsac.exe 540 bqyqvqrmlai.exe 3580 pdwwifyqqhmkbcqueilz.exe 1912 rduscxoecruqfeqsac.exe 5484 itjgpjzolzbwkitub.exe 4368 etnobztmnflkcetyjoshb.exe 6004 bqyqvqrmlai.exe 5648 cphgrnfwvlpmccpsbeg.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager edhsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys edhsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc edhsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power edhsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys edhsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc edhsp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe ." edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzkcgvgqiroe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "pdwwifyqqhmkbcqueilz.exe ." edhsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "rduscxoecruqfeqsac.exe" edhsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe ." edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzkcgvgqiroe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "blawexmawjkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "itjgpjzolzbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzkcgvgqiroe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "blawexmawjkeroyy.exe ." edhsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "etnobztmnflkcetyjoshb.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzkcgvgqiroe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "blawexmawjkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppugen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe" edhsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "etnobztmnflkcetyjoshb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwwifyqqhmkbcqueilz.exe ." edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzkcgvgqiroe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "itjgpjzolzbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "etnobztmnflkcetyjoshb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "itjgpjzolzbwkitub.exe" edhsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iltijvdkz = "blawexmawjkeroyy.exe" edhsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppugen = "cphgrnfwvlpmccpsbeg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfoegtckah = "rduscxoecruqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blawexmawjkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblcftdmdlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cphgrnfwvlpmccpsbeg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdjwvfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etnobztmnflkcetyjoshb.exe ." edhsp.exe -
Checks whether UAC is enabled 1 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edhsp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edhsp.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 whatismyip.everdot.org 47 whatismyip.everdot.org 28 whatismyip.everdot.org 31 whatismyipaddress.com 34 www.showmyipaddress.com 36 www.whatismyip.ca 39 whatismyip.everdot.org 41 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File created C:\Windows\SysWOW64\tzkcgvgqiroengmikgbhskodoyqzwmvouq.ojp edhsp.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gbbibffeljvaygbmdoyttat.xwd edhsp.exe File opened for modification C:\Windows\SysWOW64\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rduscxoecruqfeqsac.exe edhsp.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\blawexmawjkeroyy.exe edhsp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\gbbibffeljvaygbmdoyttat.xwd edhsp.exe File created C:\Program Files (x86)\gbbibffeljvaygbmdoyttat.xwd edhsp.exe File opened for modification C:\Program Files (x86)\tzkcgvgqiroengmikgbhskodoyqzwmvouq.ojp edhsp.exe File created C:\Program Files (x86)\tzkcgvgqiroengmikgbhskodoyqzwmvouq.ojp edhsp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe edhsp.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe edhsp.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe edhsp.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe edhsp.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe edhsp.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vlgiwvqkmfmmfiyeqwbrmo.exe bqyqvqrmlai.exe File opened for modification C:\Windows\pdwwifyqqhmkbcqueilz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe edhsp.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\blawexmawjkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rduscxoecruqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\etnobztmnflkcetyjoshb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\cphgrnfwvlpmccpsbeg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\itjgpjzolzbwkitub.exe bqyqvqrmlai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqyqvqrmlai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blawexmawjkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rduscxoecruqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdwwifyqqhmkbcqueilz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etnobztmnflkcetyjoshb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itjgpjzolzbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cphgrnfwvlpmccpsbeg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 1332 edhsp.exe 1332 edhsp.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1332 edhsp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5352 wrote to memory of 1120 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 89 PID 5352 wrote to memory of 1120 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 89 PID 5352 wrote to memory of 1120 5352 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 89 PID 4536 wrote to memory of 4580 4536 cmd.exe 92 PID 4536 wrote to memory of 4580 4536 cmd.exe 92 PID 4536 wrote to memory of 4580 4536 cmd.exe 92 PID 4784 wrote to memory of 4912 4784 cmd.exe 95 PID 4784 wrote to memory of 4912 4784 cmd.exe 95 PID 4784 wrote to memory of 4912 4784 cmd.exe 95 PID 4720 wrote to memory of 3008 4720 cmd.exe 105 PID 4720 wrote to memory of 3008 4720 cmd.exe 105 PID 4720 wrote to memory of 3008 4720 cmd.exe 105 PID 3316 wrote to memory of 4836 3316 cmd.exe 106 PID 3316 wrote to memory of 4836 3316 cmd.exe 106 PID 3316 wrote to memory of 4836 3316 cmd.exe 106 PID 5232 wrote to memory of 4840 5232 cmd.exe 107 PID 5232 wrote to memory of 4840 5232 cmd.exe 107 PID 5232 wrote to memory of 4840 5232 cmd.exe 107 PID 4824 wrote to memory of 5036 4824 cmd.exe 173 PID 4824 wrote to memory of 5036 4824 cmd.exe 173 PID 4824 wrote to memory of 5036 4824 cmd.exe 173 PID 4912 wrote to memory of 5988 4912 blawexmawjkeroyy.exe 113 PID 4912 wrote to memory of 5988 4912 blawexmawjkeroyy.exe 113 PID 4912 wrote to memory of 5988 4912 blawexmawjkeroyy.exe 113 PID 4836 wrote to memory of 3312 4836 cphgrnfwvlpmccpsbeg.exe 270 PID 4836 wrote to memory of 3312 4836 cphgrnfwvlpmccpsbeg.exe 270 PID 4836 wrote to memory of 3312 4836 cphgrnfwvlpmccpsbeg.exe 270 PID 4392 wrote to memory of 6104 4392 cmd.exe 115 PID 4392 wrote to memory of 6104 4392 cmd.exe 115 PID 4392 wrote to memory of 6104 4392 cmd.exe 115 PID 5036 wrote to memory of 5144 5036 pdwwifyqqhmkbcqueilz.exe 116 PID 5036 wrote to memory of 5144 5036 pdwwifyqqhmkbcqueilz.exe 116 PID 5036 wrote to memory of 5144 5036 pdwwifyqqhmkbcqueilz.exe 116 PID 820 wrote to memory of 5976 820 cmd.exe 117 PID 820 wrote to memory of 5976 820 cmd.exe 117 PID 820 wrote to memory of 5976 820 cmd.exe 117 PID 5976 wrote to memory of 2436 5976 etnobztmnflkcetyjoshb.exe 118 PID 5976 wrote to memory of 2436 5976 etnobztmnflkcetyjoshb.exe 118 PID 5976 wrote to memory of 2436 5976 etnobztmnflkcetyjoshb.exe 118 PID 1120 wrote to memory of 1332 1120 bqyqvqrmlai.exe 119 PID 1120 wrote to memory of 1332 1120 bqyqvqrmlai.exe 119 PID 1120 wrote to memory of 1332 1120 bqyqvqrmlai.exe 119 PID 1120 wrote to memory of 5432 1120 bqyqvqrmlai.exe 121 PID 1120 wrote to memory of 5432 1120 bqyqvqrmlai.exe 121 PID 1120 wrote to memory of 5432 1120 bqyqvqrmlai.exe 121 PID 2224 wrote to memory of 1220 2224 cmd.exe 133 PID 2224 wrote to memory of 1220 2224 cmd.exe 133 PID 2224 wrote to memory of 1220 2224 cmd.exe 133 PID 3592 wrote to memory of 4104 3592 cmd.exe 201 PID 3592 wrote to memory of 4104 3592 cmd.exe 201 PID 3592 wrote to memory of 4104 3592 cmd.exe 201 PID 1404 wrote to memory of 5852 1404 cmd.exe 137 PID 1404 wrote to memory of 5852 1404 cmd.exe 137 PID 1404 wrote to memory of 5852 1404 cmd.exe 137 PID 3620 wrote to memory of 840 3620 cmd.exe 140 PID 3620 wrote to memory of 840 3620 cmd.exe 140 PID 3620 wrote to memory of 840 3620 cmd.exe 140 PID 5852 wrote to memory of 4548 5852 blawexmawjkeroyy.exe 153 PID 5852 wrote to memory of 4548 5852 blawexmawjkeroyy.exe 153 PID 5852 wrote to memory of 4548 5852 blawexmawjkeroyy.exe 153 PID 840 wrote to memory of 4580 840 itjgpjzolzbwkitub.exe 154 PID 840 wrote to memory of 4580 840 itjgpjzolzbwkitub.exe 154 PID 840 wrote to memory of 4580 840 itjgpjzolzbwkitub.exe 154 PID 5560 wrote to memory of 3648 5560 cmd.exe 300 -
System policy modification 1 TTPs 62 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edhsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" edhsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\edhsp.exe"C:\Users\Admin\AppData\Local\Temp\edhsp.exe" "-C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1332
-
-
C:\Users\Admin\AppData\Local\Temp\edhsp.exe"C:\Users\Admin\AppData\Local\Temp\edhsp.exe" "-C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵
- Executes dropped EXE
PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵
- Executes dropped EXE
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵
- Executes dropped EXE
PID:5144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵
- Executes dropped EXE
PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵
- Executes dropped EXE
PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵
- Executes dropped EXE
PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5852 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:2724
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:5532
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵
- Executes dropped EXE
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵
- Executes dropped EXE
PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5560 -
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵
- Executes dropped EXE
PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵
- Executes dropped EXE
PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:4500
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵
- Executes dropped EXE
PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵
- Executes dropped EXE
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵
- Executes dropped EXE
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵
- Executes dropped EXE
PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵
- Executes dropped EXE
PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:1788
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:4604
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:4944
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5476
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵
- Executes dropped EXE
PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵
- Executes dropped EXE
PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵
- Executes dropped EXE
PID:4256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:5060
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:2508
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵
- Executes dropped EXE
PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5436
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:6012
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:1128
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:1508
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵
- Executes dropped EXE
PID:5484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵
- Executes dropped EXE
PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:4336
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:5000
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:3436
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:1596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:1020
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:932
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5044
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:6060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:4728
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:3920
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
PID:5392 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:3592
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:2616
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:464 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:468
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:2480
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:908 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5616
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3496
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:1704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:4840
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:2380
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5948
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:3904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:2040
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:2236
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:4876
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:2716
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:3520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5420
-
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:4640
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:5248
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:5528
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:1020
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:800 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:2420
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:2740
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:2404
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:1128
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:4904
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:3212
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:6020
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:5892
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:4420
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:3512
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:1508
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:5008
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:1512
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
PID:5920 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5396
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:1784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:3016
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:1976
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5952
-
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5828
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5020
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:2488
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:4664
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:2264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:5716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2552
-
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3176
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:3688
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:4256
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵
- Checks computer location settings
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:3312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:2960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:4616
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:1640
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5856
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:3588
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵
- Checks computer location settings
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3160
-
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:5312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:908
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:4468
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:4876
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:5476
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:3904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:3808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:720
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:1784
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:1704
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:1748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:1620
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:5948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:4756
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:1008
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5700
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:5084
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:3620
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:4252
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5648
-
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:4772
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:2536
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:2468
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:3572
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:4032
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:5776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5980
-
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:5140
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:4924
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:4884
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:2136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:5964
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5340
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:4580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2296
-
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:1940
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:4880
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3340
-
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:2256
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:1988
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:3808
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:1932
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:2568
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5844
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:5944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:3248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4368
-
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5984
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:3708
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:2792
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:3312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5628
-
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:2304
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:6096
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:2444
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:4964
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:4748
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:1088
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:4376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:716
-
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:5920
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:5384
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:4140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:876
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:2232
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5440
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:5800
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:1464
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:1728
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:4332
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:5944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:720
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:4324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4924
-
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:5756
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5764
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:2804
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5344
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:2948
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:1316
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:4712
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5896
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:1404
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:5932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:1808
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:640
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:5528
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3432
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:4516
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:2512
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:4324
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:5536
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:5948
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:4612
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:4116
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:4968
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:3340
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:4748
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:4616
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:1600
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:2568
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5812
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:1448
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:5772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4516
-
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:2404
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:2060
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:2512
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:1640
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:1608
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:5532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2580
-
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:876
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:5540
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe1⤵PID:4964
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3872
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:4640
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:1312
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:4624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\rduscxoecruqfeqsac.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:3000
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:3572
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe1⤵PID:3904
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe2⤵PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:1728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4968
-
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:6048
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:884
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:6016
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cphgrnfwvlpmccpsbeg.exe .1⤵PID:2804
-
C:\Windows\cphgrnfwvlpmccpsbeg.execphgrnfwvlpmccpsbeg.exe .2⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\cphgrnfwvlpmccpsbeg.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe1⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe1⤵PID:3812
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe2⤵PID:5752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:4828
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:3008
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:1008
-
C:\Windows\etnobztmnflkcetyjoshb.exeetnobztmnflkcetyjoshb.exe .2⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\etnobztmnflkcetyjoshb.exe*."3⤵PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\etnobztmnflkcetyjoshb.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:5168
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:5988
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:5612
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itjgpjzolzbwkitub.exe .1⤵PID:5960
-
C:\Windows\itjgpjzolzbwkitub.exeitjgpjzolzbwkitub.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\itjgpjzolzbwkitub.exe*."3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\itjgpjzolzbwkitub.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:1596
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe .1⤵PID:3724
-
C:\Windows\pdwwifyqqhmkbcqueilz.exepdwwifyqqhmkbcqueilz.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:4616
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:5256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe1⤵PID:2488
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe2⤵PID:732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5272
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdwwifyqqhmkbcqueilz.exe1⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe .1⤵PID:4632
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\blawexmawjkeroyy.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\pdwwifyqqhmkbcqueilz.exe*."3⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rduscxoecruqfeqsac.exe .1⤵PID:548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3864
-
-
C:\Windows\rduscxoecruqfeqsac.exerduscxoecruqfeqsac.exe .2⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\rduscxoecruqfeqsac.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\rduscxoecruqfeqsac.exe2⤵PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\blawexmawjkeroyy.exe*."3⤵PID:3256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blawexmawjkeroyy.exe1⤵PID:5388
-
C:\Windows\blawexmawjkeroyy.exeblawexmawjkeroyy.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exeC:\Users\Admin\AppData\Local\Temp\etnobztmnflkcetyjoshb.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etnobztmnflkcetyjoshb.exe .1⤵PID:436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exeC:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exeC:\Users\Admin\AppData\Local\Temp\blawexmawjkeroyy.exe2⤵PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exeC:\Users\Admin\AppData\Local\Temp\cphgrnfwvlpmccpsbeg.exe .2⤵PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exeC:\Users\Admin\AppData\Local\Temp\itjgpjzolzbwkitub.exe .2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe1⤵PID:3288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdwwifyqqhmkbcqueilz.exe .1⤵PID:4348
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5344ba62df3105d10de37f6cff4b9d7a3
SHA1e03b602ac15b3d92ea29a8220e575bd1cd654ac1
SHA256399d38df390780c4c49fc5c6477f3c3eeced9b77e9a04c2cb288bfb63c6bb8d0
SHA512051a6ae3ba223f202ea36c747c3dffc596cd027187cf54857648c5889911cabd13aad75fa4d22b2a1a0cb921350ab03967f82769ed6b86fee18be022c6aca375
-
Filesize
280B
MD5ac75b52d036241feea989c485dbe4c6b
SHA1fd4ece502d31015e15a623942bcfc4386389d399
SHA256fb6bef670b6b7046c154bcfb06731a685fa3d2262f0a0d8c12385c70827a1233
SHA51235639480c1d48d6cc724a1a7d156ae81ec8c72b9323b8a39314172dbb1e4c9844fe4c85aeced82268bb6bba334a7466cf001ccdc8d5cbbfb31bfeb98c99209ef
-
Filesize
280B
MD5611be69a8bbb2ee52b4c93ba9d4d4ac9
SHA19fddc8370d6299d23679f19cee2a7871f3524724
SHA2564762cfd22ef989adf682ecd7b455f3f94cf304f33f166024d8350a4471713fbc
SHA512adffa0dcb38b34d97ed545a7c38f3cf8033b3e91f0cd4351107be145af26a751eebb4e554ab8490f1350638cfab5592bcdf00d7b16fee3b96c1f2e01ef1d3e3a
-
Filesize
280B
MD51a1d256d99847cb8eb4e0ca014052f5d
SHA176a683d134b3636c3103bc357056a4cf81840323
SHA256b25acc7a06c8ffc7dcb4ed79a2cdfacd60a34324877621af490a4eeb5dbb3ee7
SHA51220dfcbc5e813ab72106d483cceacc6b8456a56f5b96f442558279e76ab83cb086b807dac26b656b64e128291cdf5ad2f73c3cf498e6517cdc31bdc651b36c932
-
Filesize
280B
MD57c18942302bf5e29f6f7f1be5d9906fb
SHA1dc31c34f76018b88376eb1eaa94a283c6f77acdb
SHA256981308ad7f3ae755bfcc21fb76b05d5687c0b51609a561120d55a9fe42b90b5d
SHA512fba5f0720035ccb9537ff589855e67b025f5c29f83892bbb1bec2c29ca1cd9dbf8129cfd62d2abe568f5f2d4ca585ec74dac9a3c30bf9c7a7a9941c84feb524d
-
Filesize
280B
MD5553078faeda10b51f388fadcb49a5b75
SHA1d7da2fbead73536f2bb6d424397b63975393a714
SHA2568cad1c58a765619f8443850f1c2307d72f2cb2bdc8edbc6131c2dd665bb3db36
SHA512f0750fdb75d96df1fb91d8da41554ad56cdf4bf45474ab347825e5ee6514c05e83f44c1c7f45063bfa4311d69f630e9cd985ce5d62e8656a0132cb5da621ea92
-
Filesize
280B
MD5bb567a217895b0f0172efe265fb1c810
SHA1b224175ad200010387b32d4fa3a976bfc0e267e4
SHA2566da19d9b5d509dbb2e235f2dfa6c249fd4acf854b129b53e0ed22b9e77b595d6
SHA512f7c2feeef4e7b73f68bcb270c164577a04795c3d85599d14ef086266c2d6c39720b8b6bff56daa2dbddd3e10e0d58e4d8ff227b2f5a8d834ce9229fc905e9b57
-
Filesize
320KB
MD5a4ebfcec20d40bf9917c1f0724917442
SHA1fe9cef99034f175c7077177ca7e3891fb62b1bba
SHA256d852503961e4da73c886f3fef92052485885f1b6d3bb78ee531a8f4010972119
SHA512f4e792c3edfd79453b6acdf2a9fd35cc79d88ca5bec46d8b770a9c7b44a48fda1425aac1bc16d507ee69f929a3ab2a4aff5ef913202ac337b1c5fd7f01d610dc
-
Filesize
692KB
MD592230bb7c6f8310b073ab11d7ced7c4f
SHA1fc76b48a20098bdb18aff9ad3873b1ed38de682e
SHA25675d0b8a7557b494077dfadecf260d8ac46b33ab543cc3448a56509f06f616115
SHA512ac5c89902e2f0220a49ac98d0fd504c970bd240528a4272ae3379ffb1c4303889e390244df03e8548ff969d60f3061f39ce6e08fbb5752b722f4d98e52df1623
-
Filesize
280B
MD56bba45a346e0e6851ee2e2e2588cdb92
SHA13424cd681369c2c39072981e02d00d341858dc85
SHA25604865af93c1a00e98be319571cae6819d7fdcb9a9aff5d849dcfeb152ce98488
SHA5126ee9d07b7d552f0068f4b2e043052b9265b9c413143588bee17d1a548ebcd2719764e2da716c5a940e88486e2edd40de5b9f92d27a252cc011da8ea89a6e80a1
-
Filesize
4KB
MD5b8c182b375b61fc7bc5c091eafda0566
SHA16826bb5455808db0a0bb6085c0f0a8e943191a34
SHA2563b53c4567df2cdb40c8a32309358ceb9a4bd138dfe1544fe576fcfd325ec219b
SHA5128ae400028bb22ea97120ff233d991ee13d10744e4b9cf5e7cc6ef313cdf501738b664bf9ad0df5b7f5b5263b3407f6d1cf085cc816abc852426c9174adc171ca
-
Filesize
952KB
MD5bd0b66050d49b213e682c9f3dbddd4f4
SHA13e6dc7c446dc88cd3b9aa237c8d4836bff134a18
SHA25636f7aefe30f8fdda2c6a568efa39ed27bd09956fc7123a034285cf8e5f0d91a7
SHA5127d0b3e9d573564d7d937b9ec83f21682a692c5ddb3797b155866b7620ecfebd6d2e444ab6d5a3f17b0d15a2db6af11f84aedfc93671c68d239cd2236c3b75ffa