Analysis
-
max time kernel
43s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2025, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
-
Size
860KB
-
MD5
c0a5c6a1916f592a00e891fd8e5c4b36
-
SHA1
6bf1d27345660089c1bbf1e71f58674e684c5d14
-
SHA256
32173afb83cbc7c35e4b7c70ca3bdfb64155ce5da72d0fc359c4a0cd2096d7c8
-
SHA512
75c8ce5234070a6ee08fb41f316bd71776b3b58f9e43e3f4b544732c197a27b5c9d9172632894090b6af7f3f52fdac8efabe8baf41eb855ac817ad34980dbef6
-
SSDEEP
12288:Ng5pBHxXptbN5ZRgOiBjw/C0AWzFjys4H:0H7tbrbIBjwuWR+sE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe -
Pykspa family
-
UAC bypass 3 TTPs 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe -
Detect Pykspa worm 3 IoCs
resource yara_rule behavioral1/files/0x00060000000236ea-5.dat family_pykspa behavioral1/files/0x0007000000024169-121.dat family_pykspa behavioral1/memory/2504-371-0x0000000000400000-0x0000000000466000-memory.dmp family_pykspa -
Adds policy Run key to start application 2 TTPs 63 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "rjstguqkxqubfujttb.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "ezlpfwvsielvcumzcnsnz.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "cvfhvkhcqkpxcsitudg.exe" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "bryxiuogrikprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjstguqkxqubfujttb.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "rjstguqkxqubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "rjstguqkxqubfujttb.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mouano = "ykaqnyldtjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "bryxiuogrikprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsjaykyrizbhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "rjstguqkxqubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whjdjqfsykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thmjscuktiillw = "bryxiuogrikprerz.exe" bbygorkllli.exe -
Disables RegEdit via registry modification 14 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bbygorkllli.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ezlpfwvsielvcumzcnsnz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cvfhvkhcqkpxcsitudg.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rjstguqkxqubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bryxiuogrikprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation izhhtgbugybhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation pjuxmcawlgmvbsjvxhlf.exe -
Executes dropped EXE 64 IoCs
pid Process 4456 bbygorkllli.exe 2656 pjuxmcawlgmvbsjvxhlf.exe 1200 cvfhvkhcqkpxcsitudg.exe 3084 bbygorkllli.exe 2544 bryxiuogrikprerz.exe 3524 rjstguqkxqubfujttb.exe 4580 izhhtgbugybhkymvu.exe 2296 bbygorkllli.exe 4836 cvfhvkhcqkpxcsitudg.exe 1604 pjuxmcawlgmvbsjvxhlf.exe 1936 bbygorkllli.exe 2180 cvfhvkhcqkpxcsitudg.exe 3224 bbygorkllli.exe 3196 cjhxzcn.exe 4944 cjhxzcn.exe 3644 bryxiuogrikprerz.exe 2008 bryxiuogrikprerz.exe 2780 izhhtgbugybhkymvu.exe 4388 izhhtgbugybhkymvu.exe 1332 bbygorkllli.exe 2984 bbygorkllli.exe 2824 bryxiuogrikprerz.exe 1840 bryxiuogrikprerz.exe 4260 bryxiuogrikprerz.exe 3232 cvfhvkhcqkpxcsitudg.exe 1060 cvfhvkhcqkpxcsitudg.exe 2960 bryxiuogrikprerz.exe 2700 bryxiuogrikprerz.exe 3648 bryxiuogrikprerz.exe 4916 ezlpfwvsielvcumzcnsnz.exe 2236 bbygorkllli.exe 1840 bbygorkllli.exe 3084 bbygorkllli.exe 1748 bbygorkllli.exe 3224 ezlpfwvsielvcumzcnsnz.exe 4344 izhhtgbugybhkymvu.exe 4112 cvfhvkhcqkpxcsitudg.exe 2192 cvfhvkhcqkpxcsitudg.exe 2368 cvfhvkhcqkpxcsitudg.exe 2904 pjuxmcawlgmvbsjvxhlf.exe 4916 izhhtgbugybhkymvu.exe 3288 bbygorkllli.exe 3140 bbygorkllli.exe 4776 bbygorkllli.exe 2504 bryxiuogrikprerz.exe 4832 cvfhvkhcqkpxcsitudg.exe 2844 bbygorkllli.exe 4224 pjuxmcawlgmvbsjvxhlf.exe 4244 ezlpfwvsielvcumzcnsnz.exe 4040 bbygorkllli.exe 1572 bbygorkllli.exe 4320 ezlpfwvsielvcumzcnsnz.exe 2100 ezlpfwvsielvcumzcnsnz.exe 4652 bbygorkllli.exe 4972 izhhtgbugybhkymvu.exe 3140 rjstguqkxqubfujttb.exe 4836 pjuxmcawlgmvbsjvxhlf.exe 3260 pjuxmcawlgmvbsjvxhlf.exe 1256 bbygorkllli.exe 5068 ezlpfwvsielvcumzcnsnz.exe 4828 pjuxmcawlgmvbsjvxhlf.exe 1664 bbygorkllli.exe 4392 cvfhvkhcqkpxcsitudg.exe 3208 bbygorkllli.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys cjhxzcn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc cjhxzcn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power cjhxzcn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys cjhxzcn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc cjhxzcn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager cjhxzcn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "cvfhvkhcqkpxcsitudg.exe" cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlrpzkdueuvzamy = "izhhtgbugybhkymvu.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe ." cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "bryxiuogrikprerz.exe" cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe ." cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "pjuxmcawlgmvbsjvxhlf.exe ." cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe ." cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjstguqkxqubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "ezlpfwvsielvcumzcnsnz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "pjuxmcawlgmvbsjvxhlf.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "rjstguqkxqubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "ezlpfwvsielvcumzcnsnz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "bryxiuogrikprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sswa = "ykaqnyldtjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "ykaqnyldtjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sswa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsnikaspkflvcumzcnpgb.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsjaykyrizbhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlrpzkdueuvzamy = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "rjstguqkxqubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "pjuxmcawlgmvbsjvxhlf.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlrpzkdueuvzamy = "izhhtgbugybhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe" cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlrpzkdueuvzamy = "ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "pjuxmcawlgmvbsjvxhlf.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjstguqkxqubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe" cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvfhvkhcqkpxcsitudg.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjstguqkxqubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezlpfwvsielvcumzcnsnz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bryxiuogrikprerz.exe ." cjhxzcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "pjuxmcawlgmvbsjvxhlf.exe" cjhxzcn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjstguqkxqubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjstguqkxqubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izhhtgbugybhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izhhtgbugybhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfjfnwnckyxzy = "cvfhvkhcqkpxcsitudg.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjuxmcawlgmvbsjvxhlf.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfidksiwdqop = "ezlpfwvsielvcumzcnsnz.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bryxiuogrikprerz = "bryxiuogrikprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlrpzkdueuvzamy = "izhhtgbugybhkymvu.exe" bbygorkllli.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjhxzcn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cjhxzcn.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 whatismyipaddress.com 25 www.whatismyip.ca 28 whatismyip.everdot.org 38 whatismyip.everdot.org 41 www.whatismyip.ca 14 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe cjhxzcn.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bryxiuogrikprerz.exe bbygorkllli.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\sfjfnwnckyxzyisxsvsfjfnwnckyxzyisxs.sfj cjhxzcn.exe File created C:\Program Files (x86)\sfjfnwnckyxzyisxsvsfjfnwnckyxzyisxs.sfj cjhxzcn.exe File opened for modification C:\Program Files (x86)\jlepmkquruiznmlfphtvozwu.ebe cjhxzcn.exe File created C:\Program Files (x86)\jlepmkquruiznmlfphtvozwu.ebe cjhxzcn.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\bryxiuogrikprerz.exe cjhxzcn.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe cjhxzcn.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe cjhxzcn.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe cjhxzcn.exe File created C:\Windows\sfjfnwnckyxzyisxsvsfjfnwnckyxzyisxs.sfj cjhxzcn.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\ezlpfwvsielvcumzcnsnz.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\pjuxmcawlgmvbsjvxhlf.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe cjhxzcn.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\bryxiuogrikprerz.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\vrejassqhemxfyrfjvbxkp.exe bbygorkllli.exe File opened for modification C:\Windows\rjstguqkxqubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\cvfhvkhcqkpxcsitudg.exe bbygorkllli.exe File opened for modification C:\Windows\izhhtgbugybhkymvu.exe bbygorkllli.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbygorkllli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ykaqnyldtjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcwqrgxtnhmvbsjvxhiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsnikaspkflvcumzcnpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izhhtgbugybhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjstguqkxqubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bryxiuogrikprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvfhvkhcqkpxcsitudg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezlpfwvsielvcumzcnsnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjuxmcawlgmvbsjvxhlf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 3196 cjhxzcn.exe 3196 cjhxzcn.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3196 cjhxzcn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 4456 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 88 PID 708 wrote to memory of 4456 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 88 PID 708 wrote to memory of 4456 708 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 88 PID 2264 wrote to memory of 2656 2264 cmd.exe 93 PID 2264 wrote to memory of 2656 2264 cmd.exe 93 PID 2264 wrote to memory of 2656 2264 cmd.exe 93 PID 2300 wrote to memory of 1200 2300 cmd.exe 96 PID 2300 wrote to memory of 1200 2300 cmd.exe 96 PID 2300 wrote to memory of 1200 2300 cmd.exe 96 PID 1200 wrote to memory of 3084 1200 cvfhvkhcqkpxcsitudg.exe 99 PID 1200 wrote to memory of 3084 1200 cvfhvkhcqkpxcsitudg.exe 99 PID 1200 wrote to memory of 3084 1200 cvfhvkhcqkpxcsitudg.exe 99 PID 4892 wrote to memory of 2544 4892 cmd.exe 100 PID 4892 wrote to memory of 2544 4892 cmd.exe 100 PID 4892 wrote to memory of 2544 4892 cmd.exe 100 PID 4352 wrote to memory of 3524 4352 cmd.exe 105 PID 4352 wrote to memory of 3524 4352 cmd.exe 105 PID 4352 wrote to memory of 3524 4352 cmd.exe 105 PID 1452 wrote to memory of 4580 1452 cmd.exe 107 PID 1452 wrote to memory of 4580 1452 cmd.exe 107 PID 1452 wrote to memory of 4580 1452 cmd.exe 107 PID 3524 wrote to memory of 2296 3524 rjstguqkxqubfujttb.exe 112 PID 3524 wrote to memory of 2296 3524 rjstguqkxqubfujttb.exe 112 PID 3524 wrote to memory of 2296 3524 rjstguqkxqubfujttb.exe 112 PID 3068 wrote to memory of 4836 3068 cmd.exe 113 PID 3068 wrote to memory of 4836 3068 cmd.exe 113 PID 3068 wrote to memory of 4836 3068 cmd.exe 113 PID 3260 wrote to memory of 1604 3260 cmd.exe 151 PID 3260 wrote to memory of 1604 3260 cmd.exe 151 PID 3260 wrote to memory of 1604 3260 cmd.exe 151 PID 4836 wrote to memory of 1936 4836 cvfhvkhcqkpxcsitudg.exe 210 PID 4836 wrote to memory of 1936 4836 cvfhvkhcqkpxcsitudg.exe 210 PID 4836 wrote to memory of 1936 4836 cvfhvkhcqkpxcsitudg.exe 210 PID 3240 wrote to memory of 2180 3240 cmd.exe 277 PID 3240 wrote to memory of 2180 3240 cmd.exe 277 PID 3240 wrote to memory of 2180 3240 cmd.exe 277 PID 2180 wrote to memory of 3224 2180 cvfhvkhcqkpxcsitudg.exe 181 PID 2180 wrote to memory of 3224 2180 cvfhvkhcqkpxcsitudg.exe 181 PID 2180 wrote to memory of 3224 2180 cvfhvkhcqkpxcsitudg.exe 181 PID 4456 wrote to memory of 3196 4456 bbygorkllli.exe 121 PID 4456 wrote to memory of 3196 4456 bbygorkllli.exe 121 PID 4456 wrote to memory of 3196 4456 bbygorkllli.exe 121 PID 4456 wrote to memory of 4944 4456 bbygorkllli.exe 122 PID 4456 wrote to memory of 4944 4456 bbygorkllli.exe 122 PID 4456 wrote to memory of 4944 4456 bbygorkllli.exe 122 PID 1060 wrote to memory of 3644 1060 cmd.exe 350 PID 1060 wrote to memory of 3644 1060 cmd.exe 350 PID 1060 wrote to memory of 3644 1060 cmd.exe 350 PID 1228 wrote to memory of 2008 1228 cmd.exe 127 PID 1228 wrote to memory of 2008 1228 cmd.exe 127 PID 1228 wrote to memory of 2008 1228 cmd.exe 127 PID 952 wrote to memory of 2780 952 cmd.exe 134 PID 952 wrote to memory of 2780 952 cmd.exe 134 PID 952 wrote to memory of 2780 952 cmd.exe 134 PID 376 wrote to memory of 4388 376 cmd.exe 135 PID 376 wrote to memory of 4388 376 cmd.exe 135 PID 376 wrote to memory of 4388 376 cmd.exe 135 PID 2780 wrote to memory of 1332 2780 izhhtgbugybhkymvu.exe 141 PID 2780 wrote to memory of 1332 2780 izhhtgbugybhkymvu.exe 141 PID 2780 wrote to memory of 1332 2780 izhhtgbugybhkymvu.exe 141 PID 4388 wrote to memory of 2984 4388 izhhtgbugybhkymvu.exe 149 PID 4388 wrote to memory of 2984 4388 izhhtgbugybhkymvu.exe 149 PID 4388 wrote to memory of 2984 4388 izhhtgbugybhkymvu.exe 149 PID 4384 wrote to memory of 2824 4384 cmd.exe 267 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cjhxzcn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cjhxzcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjhxzcn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\cjhxzcn.exe"C:\Users\Admin\AppData\Local\Temp\cjhxzcn.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\cjhxzcn.exe"C:\Users\Admin\AppData\Local\Temp\cjhxzcn.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Executes dropped EXE
PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵
- Executes dropped EXE
PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Executes dropped EXE
PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Executes dropped EXE
PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵
- Executes dropped EXE
PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵
- Executes dropped EXE
PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:3924
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵
- Executes dropped EXE
PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2448
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵
- Executes dropped EXE
PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:1588
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Executes dropped EXE
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵
- Executes dropped EXE
PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵
- Executes dropped EXE
PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵
- Executes dropped EXE
PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵
- Executes dropped EXE
PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Executes dropped EXE
PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Executes dropped EXE
PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1896
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:1052
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵
- Executes dropped EXE
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:336
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵
- Executes dropped EXE
PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:2524
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵
- Executes dropped EXE
PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:3628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵
- Executes dropped EXE
PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:1936
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2760
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵
- Executes dropped EXE
PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:4504
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:2612
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵
- Executes dropped EXE
PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3556
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵
- Executes dropped EXE
PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3776
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵
- Executes dropped EXE
PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵
- Executes dropped EXE
PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:3800
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:2664
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:2672
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:3644
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:1756
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4496
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:4992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- Checks computer location settings
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:4232
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:2176
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:3044
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:772
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:2236
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:3972
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:1640
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:4272
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:4048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2960
-
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:4956
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:2320
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3288
-
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:1884
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:2296
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1044
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:1008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:3232
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:896 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- Checks computer location settings
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3796
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:768
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1908
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:3044
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:3996
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4584
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:4436
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4820
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:3776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:2368
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1860
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2700
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2176
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:1956
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:376
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:1716
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:4364
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:2320
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:560
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:4408
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:5020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1572
-
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:2544
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:632
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:944
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv ogDARiFHyk6iucDK/+KuLw.0.21⤵PID:3140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:4856
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:3672
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
PID:100 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:2532
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:1436
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:2444
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:2804
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1880
-
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:3616
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:3272
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:1936
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4920
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:3260
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:872
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4344
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:3080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1256
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:3356
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:1940
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:1916
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:3056
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:840 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:632 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3976
-
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:4872
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3812
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\bchmy.exe"C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\windows\izhhtgbugybhkymvu.exe"4⤵PID:3812
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:4860
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1104
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵
- Checks computer location settings
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:4740
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:1936
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe1⤵PID:3356
-
C:\Windows\ykaqnyldtjkprerz.exeykaqnyldtjkprerz.exe2⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2960
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:3412
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe .1⤵PID:4260
-
C:\Windows\ykaqnyldtjkprerz.exeykaqnyldtjkprerz.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykaqnyldtjkprerz.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:4988
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:5068
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:2524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3420
-
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4972
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:180 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe1⤵PID:5020
-
C:\Windows\ykaqnyldtjkprerz.exeykaqnyldtjkprerz.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe .1⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2072
-
-
C:\Windows\fsjaykyrizbhkymvu.exefsjaykyrizbhkymvu.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsjaykyrizbhkymvu.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe1⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe2⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exeC:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcwqrgxtnhmvbsjvxhiy.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsjaykyrizbhkymvu.exe*."3⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:4776
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4988
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:2464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:3352
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:2984
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:4596
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:4852
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:4952
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe1⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2852
-
-
C:\Windows\ykaqnyldtjkprerz.exeykaqnyldtjkprerz.exe2⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe .1⤵PID:2600
-
C:\Windows\mcwqrgxtnhmvbsjvxhiy.exemcwqrgxtnhmvbsjvxhiy.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcwqrgxtnhmvbsjvxhiy.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe1⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4008
-
-
C:\Windows\fsjaykyrizbhkymvu.exefsjaykyrizbhkymvu.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe .1⤵PID:460
-
C:\Windows\fsjaykyrizbhkymvu.exefsjaykyrizbhkymvu.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsjaykyrizbhkymvu.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe2⤵PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsnikaspkflvcumzcnpgb.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .1⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .2⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsjaykyrizbhkymvu.exe*."3⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:2544
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:3260
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:2176
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:180
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:3480
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:3632
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:4628
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4660
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:4456
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:3628
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:1060
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:3232
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:2172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:1984
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:1436
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:3800
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:5080
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:3288
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3600
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4872
-
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:2532
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:3044
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:636
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4260
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4748
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4436
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4860
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:2264
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:3080
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:1764
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:4832
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:5024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3040
-
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:3432
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe1⤵PID:376
-
C:\Windows\ocumlynhzrubfujttb.exeocumlynhzrubfujttb.exe2⤵PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe .1⤵PID:3508
-
C:\Windows\ykaqnyldtjkprerz.exeykaqnyldtjkprerz.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykaqnyldtjkprerz.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe1⤵PID:432
-
C:\Windows\fsjaykyrizbhkymvu.exefsjaykyrizbhkymvu.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe .1⤵PID:2580
-
C:\Windows\mcwqrgxtnhmvbsjvxhiy.exemcwqrgxtnhmvbsjvxhiy.exe .2⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcwqrgxtnhmvbsjvxhiy.exe*."3⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1672
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exeC:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:4764
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .2⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsnikaspkflvcumzcnpgb.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:4960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4852
-
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:5024
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .2⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zohaaoezslpxcsitudd.exe*."3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3636
-
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:2672
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:4276
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:1332
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe1⤵PID:4824
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:3820
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3432
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:4940
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:2912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2264
-
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:4928
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:5076
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:2436
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:3320
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:5080
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4608
-
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:2160
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3724
-
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:2176
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe .1⤵PID:4112
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rjstguqkxqubfujttb.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:1748
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:3628
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:2464
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:3772
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:3404
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1284
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe .2⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:180
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bryxiuogrikprerz.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:1588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:2672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:3328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:3248
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe .1⤵PID:1732
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe .2⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bryxiuogrikprerz.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bryxiuogrikprerz.exe1⤵PID:4324
-
C:\Windows\bryxiuogrikprerz.exebryxiuogrikprerz.exe2⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe .1⤵PID:2932
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe .2⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rjstguqkxqubfujttb.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe1⤵PID:4492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe2⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\cvfhvkhcqkpxcsitudg.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe1⤵PID:2980
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izhhtgbugybhkymvu.exe .1⤵PID:896
-
C:\Windows\izhhtgbugybhkymvu.exeizhhtgbugybhkymvu.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\izhhtgbugybhkymvu.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjuxmcawlgmvbsjvxhlf.exe1⤵PID:4584
-
C:\Windows\pjuxmcawlgmvbsjvxhlf.exepjuxmcawlgmvbsjvxhlf.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:772
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsnikaspkflvcumzcnpgb.exe1⤵PID:1796
-
C:\Windows\bsnikaspkflvcumzcnpgb.exebsnikaspkflvcumzcnpgb.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe1⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exeC:\Users\Admin\AppData\Local\Temp\bryxiuogrikprerz.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exeC:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe .2⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\izhhtgbugybhkymvu.exe*."3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .1⤵PID:2600
-
C:\Windows\zohaaoezslpxcsitudd.exezohaaoezslpxcsitudd.exe .2⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zohaaoezslpxcsitudd.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe1⤵PID:1984
-
C:\Windows\fsjaykyrizbhkymvu.exefsjaykyrizbhkymvu.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exeC:\Users\Admin\AppData\Local\Temp\cvfhvkhcqkpxcsitudg.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe .1⤵PID:1916
-
C:\Windows\mcwqrgxtnhmvbsjvxhiy.exemcwqrgxtnhmvbsjvxhiy.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcwqrgxtnhmvbsjvxhiy.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exeC:\Users\Admin\AppData\Local\Temp\ezlpfwvsielvcumzcnsnz.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exeC:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .2⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsnikaspkflvcumzcnpgb.exe*."3⤵PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .2⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykaqnyldtjkprerz.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjstguqkxqubfujttb.exe1⤵PID:5116
-
C:\Windows\rjstguqkxqubfujttb.exerjstguqkxqubfujttb.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:2368
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvfhvkhcqkpxcsitudg.exe1⤵PID:4728
-
C:\Windows\cvfhvkhcqkpxcsitudg.execvfhvkhcqkpxcsitudg.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezlpfwvsielvcumzcnsnz.exe .1⤵PID:3140
-
C:\Windows\ezlpfwvsielvcumzcnsnz.exeezlpfwvsielvcumzcnsnz.exe .2⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ezlpfwvsielvcumzcnsnz.exe*."3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe1⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exeC:\Users\Admin\AppData\Local\Temp\rjstguqkxqubfujttb.exe2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exeC:\Users\Admin\AppData\Local\Temp\pjuxmcawlgmvbsjvxhlf.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pjuxmcawlgmvbsjvxhlf.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izhhtgbugybhkymvu.exe1⤵PID:4364
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD539e0a4f83ab360c9b656ef8ebcd05b25
SHA13cdbb740ebb95682fcabfbcbc71c4f1899da5439
SHA256fff51cbc1b159b10bd642c195abee375a69042bfae86027a2700d1f84a924c89
SHA51249e75d75e3b59f43b5cf8cac465d6c51639afc348190bc19518b16ac8925df8d6db092cf638d5963745d45dbe6abce6b7bd975cbc930608c8439777aca2519e9
-
Filesize
272B
MD570e76d578997e0922ce973a193e9a08f
SHA11bb9010356631f109c0dabdffca91d1edaa8fed7
SHA256cfada96852d915407da4606982b66f681db018175524e40882f31dd62fdf10f5
SHA5123b48c22e513894a5e4da7fae01b3e6cbb8e8255578dab9e4c29486e3115e6768b57ac4f11192604fb44ea0033a9c1a124a9b72d71997d31e30be09e95e381f62
-
Filesize
272B
MD5565fd8162d041363e5b7af29bdc2598c
SHA17303b3f6f34bf1d63a49bc4ce909828ebfd3f7ba
SHA256ae24969a5c1d3deab21205c45490eb9cfe7f5fedb481d9bb5286ccfa75c0c45d
SHA512e109452de9d66a3b8f9d38524ea8d832a43084e226394a70bd10c573b2b0dc5eeb367e8d19380a9c1a716f2a79d55f2ce8c6f364151c63a9759caaa5843ed260
-
Filesize
272B
MD5cd9ca65126f7cddacc2f726c7927abcd
SHA12e8f8c5070c1288833c8d889f590983e0423a845
SHA25600e2aa6d03e66c4f0a9e99e5fd228a68d67ecbcf92d3dcaeda788c46bf86ddc1
SHA512e2a42bdf5f7b99a10a545fda7defc62094a451557136d68e3bb355d301229cb4c7a15a5bb0a6b41810eb62bfb5227513e4e93ad2f34f9a263aad08f94d32d1c5
-
Filesize
272B
MD515dcb0ea0a5ee5c5a275a3fc1b783331
SHA16ebb4b727ce3e18ccfe73da0637f26a342b93c91
SHA25628493a4e7e6921f83719cdcf9afb6a5e6ba3b4e51e42496fae7c09432efbffb3
SHA5124849b59dd429df52e981bf0a577f962593818c9c61df43264406e1389c42d065d5fb8ad7188a9be8db4a71b24bff03c51751b5aaa2618a0126c7b71a8dfdce4f
-
Filesize
272B
MD5aea4631f924c671f16d9851049e10b84
SHA12c05c6337d704a288d46cceb6fa440a8030e4e21
SHA256cb3006b04e15ce6e6113fcaa5cdcfce4c83be64b6ecbc91c968cb79f1a1852d7
SHA5120d3cae21615c03536b3c9c85470ac9227bc16b02697dbdba4544024a543960fab2711c12857279cd92cfd9184ea6bb6523d17bad08d642f35d343379fd4a90f8
-
Filesize
272B
MD565f4a733dc253d0ca19faef2ed2b7328
SHA1e98be39081671c4d3657c4dacad3012096c421bd
SHA256db5d17108227b905fd27fdd06815e15ceff69b174501329b03964b457da750a0
SHA5124ee2c0a1495f6465df420cd495ae961ba3c614f039c7361563440f16d2e2764a38fb2fee8fe63d36b4a0537db2cce2edabe2d59582f15ce0cc7869ea7c5d7ce1
-
Filesize
320KB
MD5eb09c682903ecbd87f30b0366e008d8f
SHA159b0dc27c06ce536327490439a37751a3dbd5e38
SHA256c4b122f7bab30363b472a3dffb8a7c61604c0ec4719ebd233ccbac8be0951be1
SHA51283236c0955b81375666c10445d2cf5e4723b24e42e4ee5fb951f53945483be2fff5c8ef167f08cfad3accc162c61e750bb1039edbf09e26afe18cba2f994eb5d
-
Filesize
696KB
MD50d0f3fb136b7792c6887b2e120a6edb9
SHA150d8bf191f1ae1ff045be94c09ef9b8b311553fc
SHA25662e25673a8c4b68eef961fda4a08bd82f968adfcfcd8ed820417da129be3541a
SHA5126b5a06ce31c0091a06d9e886d6484849f92331a3fae5fdd0e2ea59641f648cde6cb3273c1ac35989400ccc2268e4e407c0ec3ac907d518a8d70e9c23ee05c43f
-
Filesize
272B
MD57e091a7d4e66e883f0cdd207ba2f960a
SHA111a9259c0754719f716dbb47779bf9d5122806e2
SHA25698aa757e397513ae4926d0a5c830e03b04dee28647398c54224306fde0b6b902
SHA5123e086c2f36d4c597cddcdcc289cc9e8ac40dbb860585163530939b48a0118e71109cc3471ccee421080a61529b126db5b70cabed45b40532a3f1e992916134e9
-
Filesize
3KB
MD5dc36a32ec6ad763d70205ad17edf27fc
SHA19e3b454b5449bb26e9f507762907ef98c2df119d
SHA2561b8425a21ed36d400c922a856130eb39bb9991c3bf61c19cc2e8eb72763da994
SHA512357242c0f829ff28523da11597d4556d20929dc4ec097c53f93a611bb26b0899373eb184805ded3c03e46967fb33b9a8e64d881864276a6714ce666d38aecee5
-
Filesize
860KB
MD5c0a5c6a1916f592a00e891fd8e5c4b36
SHA16bf1d27345660089c1bbf1e71f58674e684c5d14
SHA25632173afb83cbc7c35e4b7c70ca3bdfb64155ce5da72d0fc359c4a0cd2096d7c8
SHA51275c8ce5234070a6ee08fb41f316bd71776b3b58f9e43e3f4b544732c197a27b5c9d9172632894090b6af7f3f52fdac8efabe8baf41eb855ac817ad34980dbef6