Analysis
-
max time kernel
44s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2025, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
-
Size
680KB
-
MD5
c1c90ccb7f44badc91ec2859323fcde2
-
SHA1
0bc90e1a338997eb95cae02f0250a8678d8f25e4
-
SHA256
c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43
-
SHA512
464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08
-
SSDEEP
12288:XIX6gtvm1De5YlOx6lzBH46UVqqVpCyXJ:Xu81yMBbyb3XJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0004000000022791-4.dat family_pykspa behavioral1/files/0x0007000000024298-104.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "duppcaypkbxsmnxaownii.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "duppcaypkbxsmnxaownii.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "amcxfyrdtfwmbxca.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "bqjhsokzshbumltugmb.exe" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "amcxfyrdtfwmbxca.exe" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "bqjhsokzshbumltugmb.exe" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\belxwgq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agqfhuhnxd = "duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 43 3812 Process not Found 48 3812 Process not Found 82 3812 Process not Found 89 3812 Process not Found 94 3812 Process not Found -
Disables RegEdit via registry modification 20 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation myjtkkdhwit.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation duppcaypkbxsmnxaownii.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation qewtdythzngypnuufk.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation oeyxjgdtndyslluwjqga.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation bqjhsokzshbumltugmb.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation amcxfyrdtfwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation hulhqkerivneurxwg.exe -
Executes dropped EXE 64 IoCs
pid Process 1488 myjtkkdhwit.exe 544 amcxfyrdtfwmbxca.exe 4824 duppcaypkbxsmnxaownii.exe 4868 myjtkkdhwit.exe 6044 duppcaypkbxsmnxaownii.exe 5012 bqjhsokzshbumltugmb.exe 5552 duppcaypkbxsmnxaownii.exe 3036 myjtkkdhwit.exe 2184 hulhqkerivneurxwg.exe 3920 hulhqkerivneurxwg.exe 5580 myjtkkdhwit.exe 228 duppcaypkbxsmnxaownii.exe 5112 myjtkkdhwit.exe 3484 belxwgq.exe 5700 belxwgq.exe 1696 oeyxjgdtndyslluwjqga.exe 2632 oeyxjgdtndyslluwjqga.exe 2384 bqjhsokzshbumltugmb.exe 5832 hulhqkerivneurxwg.exe 4316 myjtkkdhwit.exe 5652 duppcaypkbxsmnxaownii.exe 1956 myjtkkdhwit.exe 4592 qewtdythzngypnuufk.exe 3836 duppcaypkbxsmnxaownii.exe 4720 qewtdythzngypnuufk.exe 4724 qewtdythzngypnuufk.exe 4628 amcxfyrdtfwmbxca.exe 5284 amcxfyrdtfwmbxca.exe 5552 bqjhsokzshbumltugmb.exe 3984 qewtdythzngypnuufk.exe 552 hulhqkerivneurxwg.exe 5568 hulhqkerivneurxwg.exe 5024 myjtkkdhwit.exe 5488 myjtkkdhwit.exe 632 myjtkkdhwit.exe 780 amcxfyrdtfwmbxca.exe 3828 myjtkkdhwit.exe 2464 myjtkkdhwit.exe 4992 amcxfyrdtfwmbxca.exe 5492 qewtdythzngypnuufk.exe 536 myjtkkdhwit.exe 5340 hulhqkerivneurxwg.exe 2428 myjtkkdhwit.exe 2940 hulhqkerivneurxwg.exe 2304 amcxfyrdtfwmbxca.exe 1336 oeyxjgdtndyslluwjqga.exe 2404 duppcaypkbxsmnxaownii.exe 5476 myjtkkdhwit.exe 5948 myjtkkdhwit.exe 972 oeyxjgdtndyslluwjqga.exe 4304 myjtkkdhwit.exe 3864 oeyxjgdtndyslluwjqga.exe 4588 qewtdythzngypnuufk.exe 4776 myjtkkdhwit.exe 4528 hulhqkerivneurxwg.exe 3092 oeyxjgdtndyslluwjqga.exe 1620 hulhqkerivneurxwg.exe 796 hulhqkerivneurxwg.exe 4820 qewtdythzngypnuufk.exe 1344 qewtdythzngypnuufk.exe 1416 myjtkkdhwit.exe 3580 oeyxjgdtndyslluwjqga.exe 4936 myjtkkdhwit.exe 4992 duppcaypkbxsmnxaownii.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc belxwgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power belxwgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys belxwgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc belxwgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager belxwgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys belxwgq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "hulhqkerivneurxwg.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "qewtdythzngypnuufk.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "amcxfyrdtfwmbxca.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "bqjhsokzshbumltugmb.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe ." belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scqjpgxhvfuivp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcndguipaht = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "hulhqkerivneurxwg.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcndguipaht = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "amcxfyrdtfwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcndguipaht = "bqjhsokzshbumltugmb.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duppcaypkbxsmnxaownii.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe" belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "amcxfyrdtfwmbxca.exe ." belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scqjpgxhvfuivp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeyxjgdtndyslluwjqga.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scqjpgxhvfuivp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "bqjhsokzshbumltugmb.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scqjpgxhvfuivp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ranfkaqzmvjwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcndguipaht = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "duppcaypkbxsmnxaownii.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "duppcaypkbxsmnxaownii.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scqjpgxhvfuivp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amcxfyrdtfwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe" belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "hulhqkerivneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "qewtdythzngypnuufk.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qewtdythzngypnuufk.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qucppalp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hulhqkerivneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "bqjhsokzshbumltugmb.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\samdhwltfnam = "qewtdythzngypnuufk.exe ." belxwgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjhsokzshbumltugmb.exe ." belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "qewtdythzngypnuufk.exe ." belxwgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qucppalp = "oeyxjgdtndyslluwjqga.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmvjkwinw = "oeyxjgdtndyslluwjqga.exe ." belxwgq.exe -
Checks whether UAC is enabled 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA belxwgq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" belxwgq.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 whatismyip.everdot.org 16 whatismyipaddress.com 19 www.whatismyip.ca 22 www.showmyipaddress.com 28 whatismyip.everdot.org 39 whatismyip.everdot.org 40 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\dejtqyghmntycnhusklqaxfnotu.fju belxwgq.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\dejtqyghmntycnhusklqaxfnotu.fju belxwgq.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\hulhqkerivneurxwg.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxcajmyojrkdpfriynjomvykav.wpb belxwgq.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\amcxfyrdtfwmbxca.exe belxwgq.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qewtdythzngypnuufk.exe myjtkkdhwit.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dejtqyghmntycnhusklqaxfnotu.fju belxwgq.exe File created C:\Program Files (x86)\dejtqyghmntycnhusklqaxfnotu.fju belxwgq.exe File opened for modification C:\Program Files (x86)\amcxfyrdtfwmbxcajmyojrkdpfriynjomvykav.wpb belxwgq.exe File created C:\Program Files (x86)\amcxfyrdtfwmbxcajmyojrkdpfriynjomvykav.wpb belxwgq.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe belxwgq.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe belxwgq.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe belxwgq.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe belxwgq.exe File opened for modification C:\Windows\dejtqyghmntycnhusklqaxfnotu.fju belxwgq.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe belxwgq.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe belxwgq.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe belxwgq.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\amcxfyrdtfwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\hulhqkerivneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\oeyxjgdtndyslluwjqga.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\umijxwvnjbyuprcgvewsth.exe myjtkkdhwit.exe File opened for modification C:\Windows\bqjhsokzshbumltugmb.exe myjtkkdhwit.exe File opened for modification C:\Windows\duppcaypkbxsmnxaownii.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe myjtkkdhwit.exe File opened for modification C:\Windows\qewtdythzngypnuufk.exe belxwgq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language belxwgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hulhqkerivneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oeyxjgdtndyslluwjqga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qewtdythzngypnuufk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqjhsokzshbumltugmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amcxfyrdtfwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duppcaypkbxsmnxaownii.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 5700 belxwgq.exe 5700 belxwgq.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5700 belxwgq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 1488 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 89 PID 2780 wrote to memory of 1488 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 89 PID 2780 wrote to memory of 1488 2780 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 89 PID 4516 wrote to memory of 544 4516 cmd.exe 92 PID 4516 wrote to memory of 544 4516 cmd.exe 92 PID 4516 wrote to memory of 544 4516 cmd.exe 92 PID 4864 wrote to memory of 4824 4864 cmd.exe 97 PID 4864 wrote to memory of 4824 4864 cmd.exe 97 PID 4864 wrote to memory of 4824 4864 cmd.exe 97 PID 4824 wrote to memory of 4868 4824 duppcaypkbxsmnxaownii.exe 101 PID 4824 wrote to memory of 4868 4824 duppcaypkbxsmnxaownii.exe 101 PID 4824 wrote to memory of 4868 4824 duppcaypkbxsmnxaownii.exe 101 PID 6112 wrote to memory of 6044 6112 cmd.exe 103 PID 6112 wrote to memory of 6044 6112 cmd.exe 103 PID 6112 wrote to memory of 6044 6112 cmd.exe 103 PID 5008 wrote to memory of 5012 5008 cmd.exe 106 PID 5008 wrote to memory of 5012 5008 cmd.exe 106 PID 5008 wrote to memory of 5012 5008 cmd.exe 106 PID 5384 wrote to memory of 5552 5384 cmd.exe 108 PID 5384 wrote to memory of 5552 5384 cmd.exe 108 PID 5384 wrote to memory of 5552 5384 cmd.exe 108 PID 5012 wrote to memory of 3036 5012 bqjhsokzshbumltugmb.exe 110 PID 5012 wrote to memory of 3036 5012 bqjhsokzshbumltugmb.exe 110 PID 5012 wrote to memory of 3036 5012 bqjhsokzshbumltugmb.exe 110 PID 5896 wrote to memory of 2184 5896 cmd.exe 111 PID 5896 wrote to memory of 2184 5896 cmd.exe 111 PID 5896 wrote to memory of 2184 5896 cmd.exe 111 PID 2460 wrote to memory of 3920 2460 cmd.exe 116 PID 2460 wrote to memory of 3920 2460 cmd.exe 116 PID 2460 wrote to memory of 3920 2460 cmd.exe 116 PID 2184 wrote to memory of 5580 2184 hulhqkerivneurxwg.exe 117 PID 2184 wrote to memory of 5580 2184 hulhqkerivneurxwg.exe 117 PID 2184 wrote to memory of 5580 2184 hulhqkerivneurxwg.exe 117 PID 1412 wrote to memory of 228 1412 cmd.exe 190 PID 1412 wrote to memory of 228 1412 cmd.exe 190 PID 1412 wrote to memory of 228 1412 cmd.exe 190 PID 228 wrote to memory of 5112 228 duppcaypkbxsmnxaownii.exe 270 PID 228 wrote to memory of 5112 228 duppcaypkbxsmnxaownii.exe 270 PID 228 wrote to memory of 5112 228 duppcaypkbxsmnxaownii.exe 270 PID 1488 wrote to memory of 3484 1488 myjtkkdhwit.exe 121 PID 1488 wrote to memory of 3484 1488 myjtkkdhwit.exe 121 PID 1488 wrote to memory of 3484 1488 myjtkkdhwit.exe 121 PID 1488 wrote to memory of 5700 1488 myjtkkdhwit.exe 122 PID 1488 wrote to memory of 5700 1488 myjtkkdhwit.exe 122 PID 1488 wrote to memory of 5700 1488 myjtkkdhwit.exe 122 PID 5848 wrote to memory of 1696 5848 cmd.exe 128 PID 5848 wrote to memory of 1696 5848 cmd.exe 128 PID 5848 wrote to memory of 1696 5848 cmd.exe 128 PID 5920 wrote to memory of 2632 5920 cmd.exe 131 PID 5920 wrote to memory of 2632 5920 cmd.exe 131 PID 5920 wrote to memory of 2632 5920 cmd.exe 131 PID 2352 wrote to memory of 2384 2352 cmd.exe 133 PID 2352 wrote to memory of 2384 2352 cmd.exe 133 PID 2352 wrote to memory of 2384 2352 cmd.exe 133 PID 4740 wrote to memory of 5832 4740 cmd.exe 137 PID 4740 wrote to memory of 5832 4740 cmd.exe 137 PID 4740 wrote to memory of 5832 4740 cmd.exe 137 PID 2384 wrote to memory of 4316 2384 bqjhsokzshbumltugmb.exe 142 PID 2384 wrote to memory of 4316 2384 bqjhsokzshbumltugmb.exe 142 PID 2384 wrote to memory of 4316 2384 bqjhsokzshbumltugmb.exe 142 PID 4880 wrote to memory of 5652 4880 cmd.exe 356 PID 4880 wrote to memory of 5652 4880 cmd.exe 356 PID 4880 wrote to memory of 5652 4880 cmd.exe 356 PID 5832 wrote to memory of 1956 5832 hulhqkerivneurxwg.exe 153 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" belxwgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" belxwgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\belxwgq.exe"C:\Users\Admin\AppData\Local\Temp\belxwgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\belxwgq.exe"C:\Users\Admin\AppData\Local\Temp\belxwgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵
- Executes dropped EXE
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵
- Executes dropped EXE
PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵
- Executes dropped EXE
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵
- Executes dropped EXE
PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵
- Executes dropped EXE
PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵
- Executes dropped EXE
PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5848 -
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵
- Executes dropped EXE
PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5832 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵
- Executes dropped EXE
PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:3540
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵
- Executes dropped EXE
PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:3900
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵
- Executes dropped EXE
PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:3356
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵
- Executes dropped EXE
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵
- Executes dropped EXE
PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵
- Executes dropped EXE
PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵
- Executes dropped EXE
PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Executes dropped EXE
PID:780 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵
- Executes dropped EXE
PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵
- Executes dropped EXE
PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:4832
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵
- Executes dropped EXE
PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:4640
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵
- Executes dropped EXE
PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:5916
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵
- Executes dropped EXE
PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:2256
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵
- Executes dropped EXE
PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵
- Executes dropped EXE
PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Executes dropped EXE
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵
- Executes dropped EXE
PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:2312
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵
- Executes dropped EXE
PID:3864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:5264
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵
- Executes dropped EXE
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:4964
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:5276
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵
- Executes dropped EXE
PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:5028
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:796 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵
- Executes dropped EXE
PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:3812
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:4516
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6084 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:1492
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:4036
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵
- Executes dropped EXE
PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4644
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:2508
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:4904
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:2568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5492
-
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:2264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:2996
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:2064
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:3664
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:4588
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:4452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4628
-
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:5280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:4812
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:5968
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:464
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:6036
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:4608
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:5740
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:5844
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4876
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:5344
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:4712
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:2864
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:8 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:5488
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:4460
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:5500
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:1720
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:2568
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:4788
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:5108
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:536
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:4512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:5056
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:2592
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:2140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1620
-
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:960 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:5384
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:1936
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:5212
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:1344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2668
-
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:1684
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- System Location Discovery: System Language Discovery
PID:380 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:5632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5652
-
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:5556
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:4868
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:5012
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:876
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:2120
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:4760
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:5564
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:1320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:972
-
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:1684
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:4668
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:4180
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:5732
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:5092
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:5456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4504
-
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:4756
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:5488
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5280 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:2460
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:2184
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:1420
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:1340
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
PID:384 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:4308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3988
-
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:4896
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:2436
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:1052
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:5556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:2700
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:2956
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:5056
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:5756
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:2324
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:644
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:2540
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵
- Checks computer location settings
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:3656
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- Checks computer location settings
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵
- Checks computer location settings
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:5896
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:632
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:384
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:2860
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:5880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:1768
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:4728
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:4088
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:3536
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:1676
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:3976
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:2428
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:2288
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:3600
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:3864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:4036
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:1460
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:4560
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:3152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:3836
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:5824
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:2660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1068
-
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:4848
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:5028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5516
-
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:6016
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:1472
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:2708
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:312
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:1932
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:5240
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:5112
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:4336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3600
-
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:5560
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:1460
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:1292
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:2256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4724
-
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:5156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5792
-
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:696
-
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:2264
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:4716
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:3904
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:5968
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:3824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:5736
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5624
-
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:5976
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2464
-
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:2084
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:4204
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:2768
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:4556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5760
-
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:3644
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:5268
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:6016
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:5968
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:5284
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:2184
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:6028
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:3468
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:2132
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:3368
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:4824
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:6068
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:640
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:4756
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:1896
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:2460
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:3168
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:4740
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe .1⤵PID:4616
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe .2⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\duppcaypkbxsmnxaownii.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:2320
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe1⤵PID:3812
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:5384
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:4868
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:1348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4436
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:3152
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:5824
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:2120
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:3412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4724
-
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:5500
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:4884
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:4364
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4616
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:4608
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:1292
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:4888
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:5952
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:436
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:3136
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:1012
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:4152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:800
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe .1⤵PID:3052
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe .2⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\amcxfyrdtfwmbxca.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:2004
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:5112
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .2⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hulhqkerivneurxwg.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:5836
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:4168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4452
-
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe1⤵PID:4348
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:5240
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe .1⤵PID:3660
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bqjhsokzshbumltugmb.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:4712
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:4980
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:4568
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqjhsokzshbumltugmb.exe1⤵PID:3544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2788
-
-
C:\Windows\bqjhsokzshbumltugmb.exebqjhsokzshbumltugmb.exe2⤵PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:4484
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:5276
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:3368
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exeC:\Users\Admin\AppData\Local\Temp\oeyxjgdtndyslluwjqga.exe .2⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\oeyxjgdtndyslluwjqga.exe*."3⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:1204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exeC:\Users\Admin\AppData\Local\Temp\bqjhsokzshbumltugmb.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bqjhsokzshbumltugmb.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\amcxfyrdtfwmbxca.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c duppcaypkbxsmnxaownii.exe1⤵PID:4624
-
C:\Windows\duppcaypkbxsmnxaownii.exeduppcaypkbxsmnxaownii.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:3524
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c amcxfyrdtfwmbxca.exe1⤵PID:5900
-
C:\Windows\amcxfyrdtfwmbxca.exeamcxfyrdtfwmbxca.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hulhqkerivneurxwg.exe .1⤵PID:2824
-
C:\Windows\hulhqkerivneurxwg.exehulhqkerivneurxwg.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hulhqkerivneurxwg.exe*."3⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exeC:\Users\Admin\AppData\Local\Temp\qewtdythzngypnuufk.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qewtdythzngypnuufk.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exeC:\Users\Admin\AppData\Local\Temp\amcxfyrdtfwmbxca.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exeC:\Users\Admin\AppData\Local\Temp\duppcaypkbxsmnxaownii.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\duppcaypkbxsmnxaownii.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:4676
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oeyxjgdtndyslluwjqga.exe .1⤵PID:4576
-
C:\Windows\oeyxjgdtndyslluwjqga.exeoeyxjgdtndyslluwjqga.exe .2⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\oeyxjgdtndyslluwjqga.exe*."3⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe1⤵PID:5116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6048
-
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qewtdythzngypnuufk.exe .1⤵PID:1472
-
C:\Windows\qewtdythzngypnuufk.exeqewtdythzngypnuufk.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qewtdythzngypnuufk.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exeC:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe2⤵PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hulhqkerivneurxwg.exe .1⤵PID:5508
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD54e58c7e75947e697001348cbbebfe30d
SHA1df385dc169a50430dd3f5b0d108a733149efe87e
SHA2562f533c4c02584e04b51ab4479f635f2168bf81ae2b218fa91830b05f86673a86
SHA51218ab73cf55cb31dac053a530bbf7aa47ffd86707535bb9ec299116ced074ea12076195f9b22d310a88453d68d9bc13ce0c8184c9248f12bf8999dacc5963eddd
-
Filesize
280B
MD51fb413363156b9e2ebfa03235c7c4687
SHA1b3f0a99ce9c6100ebdc31b0e439c7d8b5cd395e1
SHA2567b67d84e959ff204303fcd66de3248b7db813a51a5fbf0592888a7aa19fec99a
SHA512d6aca63bdde4c65a64bb8a2c6b0449b7857b1b89465d13066c8829fc642a606553b259f15f8149ae76555c145f071768c6a113f7759acc66ceea29e514222c08
-
Filesize
280B
MD5538a46ffb218bf81d767d75561c2a5d5
SHA1045af7197776445b850b316fba14107c58d8b678
SHA256a6493d234497576aad72f3e058a7ce7a649ba1a092846df7deb8113561ebebfd
SHA51222b2bcb8cb6f7cbb9ce637de87746ea8a5b667a44daa08c648513b5269f2d56cee185e5bfbc6238441f36ed462cdd88ff6e47dcff22f52b9c1826af832ef6139
-
Filesize
280B
MD56845585354f5f58398b3b0fd94ec90d3
SHA1541e6d300c9c0bdcb100789e5155b4542596454e
SHA2560aa85c3f664e94b35829faf0c09ba501cc82bc47e996b95242987200f253afb9
SHA51294fe197eaadbba0225b935a53d154d952557356c75cae5a21fd616d9e359462d66cd847b4fb5b644d6683a2cd80d1c868b4353c9272735e72c7eabc38d300f84
-
Filesize
280B
MD5fc658e5091cbc49765a05a97196db2c9
SHA10781d9ab8d81b26587e5767e6a54413bfe650b5b
SHA25662bf16e43d71ad62c948838ccd7b93457687aa9550ab28b1c1b0a8e194f93898
SHA51289ac2f1ad98163fc648ec41c21d1a728a9fb1ec2d97a6d3d8f957ecc8cd453675fd67f127451de310077220f8c1f7e03afea48d2c3e1e8de24f80d817da35f06
-
Filesize
280B
MD548a4dd9298dec50a8c5b3776554d742f
SHA1822e62e2006ca971ea56ac5f5b4d539e09e5a732
SHA256ae518eb7255672fb390e85f8a6577e5c838e80250b9043ee06ef7311a8a9435d
SHA5129aa799e3e8ee4351da3063cf4a2aba843343fa818b7620d246cd739e73c6e34f4073983c28546387e797db2e88dc1882992f80ea3501348a25dbf4eed072f7e7
-
Filesize
728KB
MD5a0fd73d74740ce5005656073326fd5e0
SHA1cba1cb0fa40bd9c285f7a7cb0c2b55f83dd36297
SHA25697688424d198532abb021356bbf72e59e090721fa98c33ca79b8b23cc01a20cf
SHA512e962d8a54503ca302dbf1b227483435e59719badbb8cb7d0f4e200bbc2395cb8d7b03a98fc832166909408ca5ca6fe87c092c0a08e4fa400e17ddcd8e1444114
-
Filesize
320KB
MD51d53beb10b239831053ca4859d3ab42c
SHA1bea1619698c2f0d35b2cb3ee99a0ba239128dcb1
SHA256b27414eecc60a582c5c8d8b7cc1a5a9a96c69de907918770b08c1722b0c85ed4
SHA512fe26fcfdb412c46358074a61db033f064f9b3f2727dfda826cfefb0666a18090bf4a4126487d38e90b71b9e4f21d3bf02b169a32b7a712b90f49ff139e059b4e
-
Filesize
4KB
MD565315dfeb57aea8e82086d07c7267677
SHA12b0af1f6883c6ccbc924da7b41dfd217ed654988
SHA2566932e5a64324cd7301c22703a6c9987b36b9b28aad8d19d03a24e9e144603041
SHA5123f72c5c31b8432b0f0ecd2482b59a149cd240ad080ef44c7fa8c4c38a6556b74f4cabac44d899f0b08bda4ab9875a9086ded0297b6fc3df9fa6213fac30dbdac
-
Filesize
280B
MD58dcb8a44b68e3e9ebf517dd1cf1faff4
SHA14710d27aeb1e48562752b6f7d0775f249ca5e1b7
SHA256de8bc35ff4614ae9b7bab6eeade083f86837efb459cf94aa3a4eab16aee5531e
SHA512ac242218d16679adb7f4e59299a6915e1c30a4bb95abebcf77ca7739233ce534592ae4e9cc1f67024a24e22b5b111d9916ea5b3f4a8249081a1ca208956dd0a9
-
Filesize
680KB
MD5c1c90ccb7f44badc91ec2859323fcde2
SHA10bc90e1a338997eb95cae02f0250a8678d8f25e4
SHA256c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43
SHA512464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08