Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 11:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
-
Size
1016KB
-
MD5
bdee5e351d4080f6d88d3fb9c6c09c60
-
SHA1
f8b229a69b7b932ffb0ac6d71aec90137c583a18
-
SHA256
04d3522972566a2b189144c86441058f1af5641a67cdaf39e246f91ba23bf5c5
-
SHA512
35c3b392784ac85f9794e1eb75d55e9d651e2f13782175791eeb07fef86f5360f681e3e0be9d8fe0c6b1495ed4edd07e6eaec2f2c46c5026faa812fb0858842b
-
SSDEEP
6144:AIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:AIXsgtvm1De5YlOx6lzBH46Uzf7lXUW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" afflt.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00080000000242c5-4.dat family_pykspa behavioral1/files/0x00070000000242db-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "lfupmjxrsgdxtmjoqzhb.exe" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "yrfzvrexxkgzumimnvc.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "avlhfdsnpecxuomsvfojz.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "evhztnypnysjcsmon.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbivkzfrkqfr = "lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\enrbnzclb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afflt.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afflt.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation nfslgbnfeqldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yrfzvrexxkgzumimnvc.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation evhztnypnysjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation lfupmjxrsgdxtmjoqzhb.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation xnypiblbyibrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avlhfdsnpecxuomsvfojz.exe -
Executes dropped EXE 64 IoCs
pid Process 5512 sdqaokddcna.exe 4292 nfslgbnfeqldxojmmt.exe 3456 avlhfdsnpecxuomsvfojz.exe 4732 sdqaokddcna.exe 4540 lfupmjxrsgdxtmjoqzhb.exe 4684 yrfzvrexxkgzumimnvc.exe 4864 evhztnypnysjcsmon.exe 408 sdqaokddcna.exe 5312 lfupmjxrsgdxtmjoqzhb.exe 3596 sdqaokddcna.exe 2284 xnypiblbyibrjyrs.exe 2468 yrfzvrexxkgzumimnvc.exe 2652 sdqaokddcna.exe 5364 afflt.exe 3884 afflt.exe 1500 lfupmjxrsgdxtmjoqzhb.exe 2944 lfupmjxrsgdxtmjoqzhb.exe 5136 evhztnypnysjcsmon.exe 5708 evhztnypnysjcsmon.exe 800 sdqaokddcna.exe 3380 sdqaokddcna.exe 4632 xnypiblbyibrjyrs.exe 5420 xnypiblbyibrjyrs.exe 2212 avlhfdsnpecxuomsvfojz.exe 5548 avlhfdsnpecxuomsvfojz.exe 4196 avlhfdsnpecxuomsvfojz.exe 3508 yrfzvrexxkgzumimnvc.exe 1088 avlhfdsnpecxuomsvfojz.exe 3924 sdqaokddcna.exe 4848 sdqaokddcna.exe 4788 sdqaokddcna.exe 4668 yrfzvrexxkgzumimnvc.exe 4676 nfslgbnfeqldxojmmt.exe 5784 nfslgbnfeqldxojmmt.exe 4992 nfslgbnfeqldxojmmt.exe 3392 nfslgbnfeqldxojmmt.exe 2072 sdqaokddcna.exe 4736 sdqaokddcna.exe 3120 sdqaokddcna.exe 4312 avlhfdsnpecxuomsvfojz.exe 3756 yrfzvrexxkgzumimnvc.exe 984 sdqaokddcna.exe 4644 nfslgbnfeqldxojmmt.exe 872 evhztnypnysjcsmon.exe 1692 evhztnypnysjcsmon.exe 5076 sdqaokddcna.exe 3604 avlhfdsnpecxuomsvfojz.exe 2584 sdqaokddcna.exe 5868 evhztnypnysjcsmon.exe 2460 evhztnypnysjcsmon.exe 5112 sdqaokddcna.exe 5380 yrfzvrexxkgzumimnvc.exe 3048 lfupmjxrsgdxtmjoqzhb.exe 4524 lfupmjxrsgdxtmjoqzhb.exe 1216 nfslgbnfeqldxojmmt.exe 5676 evhztnypnysjcsmon.exe 4760 evhztnypnysjcsmon.exe 2836 sdqaokddcna.exe 1756 evhztnypnysjcsmon.exe 4500 sdqaokddcna.exe 5152 sdqaokddcna.exe 3124 xnypiblbyibrjyrs.exe 5320 yrfzvrexxkgzumimnvc.exe 3492 xnypiblbyibrjyrs.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys afflt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc afflt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager afflt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys afflt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc afflt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power afflt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "nfslgbnfeqldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "xnypiblbyibrjyrs.exe" afflt.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" afflt.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "nfslgbnfeqldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "xnypiblbyibrjyrs.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "lfupmjxrsgdxtmjoqzhb.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "nfslgbnfeqldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "evhztnypnysjcsmon.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" afflt.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" afflt.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "lfupmjxrsgdxtmjoqzhb.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfupmjxrsgdxtmjoqzhb.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "xnypiblbyibrjyrs.exe ." afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe ." afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrfzvrexxkgzumimnvc.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "yrfzvrexxkgzumimnvc.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" afflt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "evhztnypnysjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnypiblbyibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avlhfdsnpecxuomsvfojz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xhmxkxblcg = "yrfzvrexxkgzumimnvc.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdmbsjrfaizndq = "xnypiblbyibrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shrhzraplumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfslgbnfeqldxojmmt.exe ." afflt.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\objxndkxryobq = "xnypiblbyibrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdjvjxcnfky = "nfslgbnfeqldxojmmt.exe ." sdqaokddcna.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA afflt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" afflt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 whatismyipaddress.com 22 www.showmyipaddress.com 27 www.whatismyip.ca 28 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File created C:\Windows\SysWOW64\fhehmrnpyuzbfglyizprorwb.zie afflt.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\objxndkxryobqcsqlnobjxndkxryobqcsql.obj afflt.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe afflt.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe afflt.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\evhztnypnysjcsmon.exe afflt.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe afflt.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\xnypiblbyibrjyrs.exe sdqaokddcna.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\objxndkxryobqcsqlnobjxndkxryobqcsql.obj afflt.exe File opened for modification C:\Program Files (x86)\fhehmrnpyuzbfglyizprorwb.zie afflt.exe File created C:\Program Files (x86)\fhehmrnpyuzbfglyizprorwb.zie afflt.exe File opened for modification C:\Program Files (x86)\objxndkxryobqcsqlnobjxndkxryobqcsql.obj afflt.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe afflt.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe afflt.exe File opened for modification C:\Windows\fhehmrnpyuzbfglyizprorwb.zie afflt.exe File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe afflt.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\objxndkxryobqcsqlnobjxndkxryobqcsql.obj afflt.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\avlhfdsnpecxuomsvfojz.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\lfupmjxrsgdxtmjoqzhb.exe sdqaokddcna.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe afflt.exe File opened for modification C:\Windows\yrfzvrexxkgzumimnvc.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe File opened for modification C:\Windows\nfslgbnfeqldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\evhztnypnysjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\xnypiblbyibrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\rnebazploedzxsrycnxtkh.exe sdqaokddcna.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afflt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdqaokddcna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avlhfdsnpecxuomsvfojz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnypiblbyibrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfupmjxrsgdxtmjoqzhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrfzvrexxkgzumimnvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evhztnypnysjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfslgbnfeqldxojmmt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 5364 afflt.exe 5364 afflt.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 5364 afflt.exe 5364 afflt.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5364 afflt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 5512 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 89 PID 2044 wrote to memory of 5512 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 89 PID 2044 wrote to memory of 5512 2044 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 89 PID 4516 wrote to memory of 4292 4516 cmd.exe 94 PID 4516 wrote to memory of 4292 4516 cmd.exe 94 PID 4516 wrote to memory of 4292 4516 cmd.exe 94 PID 3472 wrote to memory of 3456 3472 cmd.exe 97 PID 3472 wrote to memory of 3456 3472 cmd.exe 97 PID 3472 wrote to memory of 3456 3472 cmd.exe 97 PID 3456 wrote to memory of 4732 3456 avlhfdsnpecxuomsvfojz.exe 101 PID 3456 wrote to memory of 4732 3456 avlhfdsnpecxuomsvfojz.exe 101 PID 3456 wrote to memory of 4732 3456 avlhfdsnpecxuomsvfojz.exe 101 PID 2704 wrote to memory of 4540 2704 cmd.exe 103 PID 2704 wrote to memory of 4540 2704 cmd.exe 103 PID 2704 wrote to memory of 4540 2704 cmd.exe 103 PID 4476 wrote to memory of 4684 4476 cmd.exe 106 PID 4476 wrote to memory of 4684 4476 cmd.exe 106 PID 4476 wrote to memory of 4684 4476 cmd.exe 106 PID 4676 wrote to memory of 4864 4676 cmd.exe 109 PID 4676 wrote to memory of 4864 4676 cmd.exe 109 PID 4676 wrote to memory of 4864 4676 cmd.exe 109 PID 4684 wrote to memory of 408 4684 yrfzvrexxkgzumimnvc.exe 111 PID 4684 wrote to memory of 408 4684 yrfzvrexxkgzumimnvc.exe 111 PID 4684 wrote to memory of 408 4684 yrfzvrexxkgzumimnvc.exe 111 PID 4568 wrote to memory of 5312 4568 cmd.exe 112 PID 4568 wrote to memory of 5312 4568 cmd.exe 112 PID 4568 wrote to memory of 5312 4568 cmd.exe 112 PID 5312 wrote to memory of 3596 5312 lfupmjxrsgdxtmjoqzhb.exe 116 PID 5312 wrote to memory of 3596 5312 lfupmjxrsgdxtmjoqzhb.exe 116 PID 5312 wrote to memory of 3596 5312 lfupmjxrsgdxtmjoqzhb.exe 116 PID 3656 wrote to memory of 2284 3656 cmd.exe 117 PID 3656 wrote to memory of 2284 3656 cmd.exe 117 PID 3656 wrote to memory of 2284 3656 cmd.exe 117 PID 3408 wrote to memory of 2468 3408 cmd.exe 120 PID 3408 wrote to memory of 2468 3408 cmd.exe 120 PID 3408 wrote to memory of 2468 3408 cmd.exe 120 PID 2468 wrote to memory of 2652 2468 yrfzvrexxkgzumimnvc.exe 121 PID 2468 wrote to memory of 2652 2468 yrfzvrexxkgzumimnvc.exe 121 PID 2468 wrote to memory of 2652 2468 yrfzvrexxkgzumimnvc.exe 121 PID 5512 wrote to memory of 5364 5512 sdqaokddcna.exe 122 PID 5512 wrote to memory of 5364 5512 sdqaokddcna.exe 122 PID 5512 wrote to memory of 5364 5512 sdqaokddcna.exe 122 PID 5512 wrote to memory of 3884 5512 sdqaokddcna.exe 123 PID 5512 wrote to memory of 3884 5512 sdqaokddcna.exe 123 PID 5512 wrote to memory of 3884 5512 sdqaokddcna.exe 123 PID 5944 wrote to memory of 1500 5944 cmd.exe 128 PID 5944 wrote to memory of 1500 5944 cmd.exe 128 PID 5944 wrote to memory of 1500 5944 cmd.exe 128 PID 452 wrote to memory of 2944 452 cmd.exe 129 PID 452 wrote to memory of 2944 452 cmd.exe 129 PID 452 wrote to memory of 2944 452 cmd.exe 129 PID 6000 wrote to memory of 5136 6000 cmd.exe 135 PID 6000 wrote to memory of 5136 6000 cmd.exe 135 PID 6000 wrote to memory of 5136 6000 cmd.exe 135 PID 3616 wrote to memory of 5708 3616 cmd.exe 136 PID 3616 wrote to memory of 5708 3616 cmd.exe 136 PID 3616 wrote to memory of 5708 3616 cmd.exe 136 PID 5708 wrote to memory of 800 5708 evhztnypnysjcsmon.exe 143 PID 5708 wrote to memory of 800 5708 evhztnypnysjcsmon.exe 143 PID 5708 wrote to memory of 800 5708 evhztnypnysjcsmon.exe 143 PID 5136 wrote to memory of 3380 5136 evhztnypnysjcsmon.exe 146 PID 5136 wrote to memory of 3380 5136 evhztnypnysjcsmon.exe 146 PID 5136 wrote to memory of 3380 5136 evhztnypnysjcsmon.exe 146 PID 5604 wrote to memory of 4632 5604 cmd.exe 152 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" afflt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" afflt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5512 -
C:\Users\Admin\AppData\Local\Temp\afflt.exe"C:\Users\Admin\AppData\Local\Temp\afflt.exe" "-C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5364
-
-
C:\Users\Admin\AppData\Local\Temp\afflt.exe"C:\Users\Admin\AppData\Local\Temp\afflt.exe" "-C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵
- Executes dropped EXE
PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Executes dropped EXE
PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵
- Executes dropped EXE
PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5312 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵
- Executes dropped EXE
PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵
- Executes dropped EXE
PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5944 -
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵
- Executes dropped EXE
PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6000 -
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵
- Executes dropped EXE
PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:316
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵
- Executes dropped EXE
PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:1504
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Executes dropped EXE
PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:5368
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵
- Executes dropped EXE
PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵
- Executes dropped EXE
PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- Executes dropped EXE
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵
- Executes dropped EXE
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵
- Executes dropped EXE
PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵
- Executes dropped EXE
PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵
- Executes dropped EXE
PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Executes dropped EXE
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:4824
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵
- Executes dropped EXE
PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:2512
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵
- Executes dropped EXE
PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:4344
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵
- Executes dropped EXE
PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:5648
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵
- Executes dropped EXE
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Executes dropped EXE
PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵
- Executes dropped EXE
PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:2040
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵
- Executes dropped EXE
PID:5380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5420
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:1916
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵
- Executes dropped EXE
PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:5924
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:5436
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵
- Executes dropped EXE
PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:5572
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵
- Executes dropped EXE
PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:4884
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵
- Executes dropped EXE
PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4740
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:2704
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵
- Executes dropped EXE
PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4720
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵
- Executes dropped EXE
PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:6100
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5784
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:5380 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:2748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:2076
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:6000
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:4816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4760
-
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4320
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:4696
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:1988
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:4340
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4528
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:5136
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:6056
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:1376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:5144
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4964
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4816
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4064
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:4612
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:3852
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:1044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:640 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:2976
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:2140
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:4800
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3604
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:5108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:4660
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5556
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3496
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4316
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4252
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:5256
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3228
-
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4476
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5436 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:3676
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:4652
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:336
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:2284
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:1716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:2072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:808
-
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:5008
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:5456
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:2840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3940
-
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:4660
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4884
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:3660
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5032
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:2664
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:984
-
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:2084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5808
-
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4644
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:4792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4976
-
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3992
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:4116
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:2408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:3508
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4872
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:6100
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:4724
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:4340
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4844
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4516
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3460
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:2204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:6064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:228
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:2840
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5300
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:2460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5064
-
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:3172
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:1152
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:1236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:4364
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:3580
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:5436
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:3660
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:1712
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:2144
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:3596
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:6068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:2592
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4064
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:5368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:5512 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:4140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:4348
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:5152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:640
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:3464
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5256
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:4548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5604
-
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:1612
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5476
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:1460
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:3128
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵
- Checks computer location settings
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:1252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:2680
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:5372
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:2096
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:4400
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵
- Checks computer location settings
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5648
-
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4336
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:5592
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵
- Checks computer location settings
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4544
-
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:3816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:412
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵
- Checks computer location settings
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:3596
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:4308
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2664
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2428
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3992
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:6132
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:5676
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:5876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:2868
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:3520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:1380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:3588
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:5772
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:380
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1216
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:6052
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:3808
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:3704
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:1464
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2040
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5988
-
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:2944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:5456
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:1128
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:3120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4728
-
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:5432
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:5664
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:5292
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:3868
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:2712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5380
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:4480
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:3852
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:3532
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\nfslgbnfeqldxojmmt.exe*."3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:6132
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:3520
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:5876
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3756
-
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:2984
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:6020
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:5664
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:1132
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5072
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:2040
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:4964
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:2076
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:5108
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1248
-
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:1616
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:1572
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:4896
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:5796
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:3588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5632
-
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4272
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3464
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:3232
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:3660
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5032
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:2804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:2376
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5776
-
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4236
-
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:2184
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:3848
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:5580
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:1844
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4912
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:3988
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:1032
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:3124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:3232
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:1796
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:1692
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:2620
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe1⤵PID:4064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3392
-
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .1⤵PID:1940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xnypiblbyibrjyrs.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5156
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4908
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe1⤵PID:5972
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:4564
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe1⤵PID:2456
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:3224
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xnypiblbyibrjyrs.exe*."3⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5532
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe .1⤵PID:4912
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\evhztnypnysjcsmon.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe1⤵PID:4712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5380
-
-
C:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exeC:\Users\Admin\AppData\Local\Temp\xnypiblbyibrjyrs.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe1⤵PID:3828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exeC:\Users\Admin\AppData\Local\Temp\yrfzvrexxkgzumimnvc.exe .2⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yrfzvrexxkgzumimnvc.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:1260
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:5864
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:5100
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe .1⤵PID:3184
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avlhfdsnpecxuomsvfojz.exe*."3⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exeC:\Users\Admin\AppData\Local\Temp\evhztnypnysjcsmon.exe .2⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\evhztnypnysjcsmon.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3392
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:2848
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avlhfdsnpecxuomsvfojz.exe1⤵PID:3144
-
C:\Windows\avlhfdsnpecxuomsvfojz.exeavlhfdsnpecxuomsvfojz.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evhztnypnysjcsmon.exe1⤵PID:4384
-
C:\Windows\evhztnypnysjcsmon.exeevhztnypnysjcsmon.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe1⤵PID:3852
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe2⤵PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfslgbnfeqldxojmmt.exe .1⤵PID:2488
-
C:\Windows\nfslgbnfeqldxojmmt.exenfslgbnfeqldxojmmt.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\nfslgbnfeqldxojmmt.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:5664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5928
-
-
C:\Windows\yrfzvrexxkgzumimnvc.exeyrfzvrexxkgzumimnvc.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yrfzvrexxkgzumimnvc.exe*."3⤵PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exeC:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:4556
-
C:\Windows\lfupmjxrsgdxtmjoqzhb.exelfupmjxrsgdxtmjoqzhb.exe .2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exeC:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\lfupmjxrsgdxtmjoqzhb.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:5216
-
C:\Windows\xnypiblbyibrjyrs.exexnypiblbyibrjyrs.exe2⤵PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe1⤵PID:5580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrfzvrexxkgzumimnvc.exe .1⤵PID:4800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnypiblbyibrjyrs.exe .1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:4440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe1⤵PID:5152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfslgbnfeqldxojmmt.exe1⤵PID:4768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfupmjxrsgdxtmjoqzhb.exe .1⤵PID:5584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avlhfdsnpecxuomsvfojz.exe .1⤵PID:4760
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD534f980880264ec93ca42f9e7a5b5f369
SHA1821af5ca72015dafc2a4f287e222fc8c7a9946eb
SHA2567c080c3147e8dc672219bb296c7f6462c062df9ee6e7fe4f94580aed2d1caeaa
SHA5125f0c7765540f32df2b9e0a4cf38b2932fd8874eabee15cd5e650d5ccb6fb7d89ed0c28f2fbd08a77f7c50a5b3e1e6020d0592f7686c6a1c0c9b3b53b416b766f
-
Filesize
280B
MD596bc89dbba6da175a0afc7387bbb843b
SHA14511ba4474edf6fd573e7634fa1ca48181dd9db7
SHA256230894ad5c53bd084b2994606ec8693ca484f457b55b8aca2c07367c5efe9c79
SHA5123bff372bae6335704cfa3707e29dabe9a5cd1c0e1be81c64def98dcbb66e731629594b05766ef93634b15ba502148addc48b60c70f7bc40e02e9f350bfbac698
-
Filesize
280B
MD5f54b8773c16578b5cfa0fd7168bdd5ca
SHA17593dcb7c8375763859aecfb32075a4af4ab80ee
SHA2564c280f169d298734ca9a80b38fe91634317de2d299e3bd4a6274bc35cda12a8e
SHA512bafc56497f5c3b1cafe5affad65b849642c20099275af551df68fada6b500030ec8a7e3292d1c3d293384b1b6472a458b947bbae986af0bd7b17a2ccad5743a3
-
Filesize
280B
MD5c5b345d8b88107aa9f4d3ce635a4ce30
SHA1f8ee8db7e991a734adaec9851893c6edd7dcfc65
SHA2569ac11008e312f4bccfae9dcb677f8b41294e9eab4ca60924d7fa4867e0c7d183
SHA512ce00ad2765c7364697021e06144306b83b86ed9deb03a8b7f477545f0eb0851422c55e5b129e5e2eee9d8737d0804f2c0e93da523177f910ae90b76d27b62796
-
Filesize
280B
MD5f78ed3c6d7a8f99f8226059d7eadd1e9
SHA10fc05a071a4c3ae1e51a367c42e129ea3ee346e7
SHA256feb26801e88f197e1b751612cbe9983d3ea1c54fb73ac400153fc0998dc4a302
SHA51225013e76dc0211ebf2c472b0474695ab9b95f6c3a83dd1e992f3db5af522afb021355b35f35719ce0d37c3cdbab60ea8f21c4d9e564885f43e89cb38fdac4e26
-
Filesize
280B
MD5f2f8f566418be4785bb6acd761253e14
SHA172f97b4754e7f5fe74ddb21857cacd5d09937d80
SHA2568cc19748066640d794109708adac2a056c579e7c3a2b5f812d0069732dcb18b3
SHA5123a0e0db1bfd1bc5197d1785e1b7170ef5b5356c36d88fb0d2cad5a287e233f501415f27ef878eeba28ddd48a328872001fb9733db3d04345ba590a995bc989e7
-
Filesize
700KB
MD5f9bdd428895e582fbf6bc64260074fb8
SHA13d0a2f07940d1bb5480a0a10c5ef244885d231b3
SHA2568e2c66fce56bc6ddf3f03a1b602cbc92664b9c6af56d18b73c01544f90a0e32d
SHA512457d09d3eb8b1273d9e7a4a566b52099c05d347860b28d75ea0aa9d8b77d8f3b4ffacb4e0b1aedb509aca172ee96a577a93ba239f30971938fc8d0a91754f203
-
Filesize
320KB
MD59a56ff1becb0600083de82a43e1124c3
SHA1f8b668520dee890ba8d3e9e465d2aa676079d849
SHA2563dfce6dcda0edfea1cdb7e94a34624fb9e5d31430ed4280628a27ede32a72baa
SHA5125c121c9771bdd1bcca684fd5fb2b32c04b222ec3827812c18740506cbbdbe8a7a6d034708cc9a9dfcbfda636e179d02d31b3ff2ef2478c7abad9b36c6577acab
-
Filesize
280B
MD5c63ce840e0d1c7e55b56ca83c7038903
SHA1f7f9a4117c8433d5e39e417df806ce1cd99bb785
SHA2564bdd290580064c79b378ce788c51af726f39b14f6915dffa27509eebb0bccde2
SHA512bf6fa15419630669105204f04ae3983f2fff07367db9da826e4e8e05cbccd4d2398ff9d80d60be0f0252179736053028cabdf849bf0ffdc7f2b29497d0f63c50
-
Filesize
4KB
MD540a25e8f8ab081d829f22a5ab780677a
SHA1fe85fc71cf63782f87d1f063dee5d507bc7e03d1
SHA2563e6bcdea611bb59f9cd53babfbd86c8b2aaf493e319b3a0da7b322a67d8c663a
SHA5121d6e4e67674aa7a21c29cbfa23988b2028ede941fc4b67532ce5c98bb7a205f7a33cd3ebddd82217d2bfbf683e62c7f4de8aca67b8201b67aee152c269bcb01d
-
Filesize
1016KB
MD5bdee5e351d4080f6d88d3fb9c6c09c60
SHA1f8b229a69b7b932ffb0ac6d71aec90137c583a18
SHA25604d3522972566a2b189144c86441058f1af5641a67cdaf39e246f91ba23bf5c5
SHA51235c3b392784ac85f9794e1eb75d55e9d651e2f13782175791eeb07fef86f5360f681e3e0be9d8fe0c6b1495ed4edd07e6eaec2f2c46c5026faa812fb0858842b