Analysis
-
max time kernel
30s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2025, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
-
Size
896KB
-
MD5
c5053b6a278897cf8629be4ba93b3030
-
SHA1
8bbc4116b965c3546d3d52d2d90eca8d5979901f
-
SHA256
25513f2b017ee242a254117f14ff49bb55f034a64265724e8e76d49a696b2d60
-
SHA512
15b961286782c54d9bc04722679570afea0112facc107e17669c4cd4ea9695c198d312d91019275b850214f6b116fd88d5531b23555f364e6d0200ea1cdbe617
-
SSDEEP
6144:ej6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionQn:k6onxOp8FySpE5zvIdtU+YmefUn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe -
Pykspa family
-
UAC bypass 3 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023675-4.dat family_pykspa behavioral1/files/0x000300000001e731-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 41 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "ynhyxnjdrkhvniqhilc.exe" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "arnghzxtjedtnkunqvofb.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "xjaokxqhsicncuzn.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "nbukixslyqmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "nbukixslyqmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "arnghzxtjedtnkunqvofb.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ejtapvhrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "lbwoofcxmgetmirjlphx.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxkumvkxeqgn = "arnghzxtjedtnkunqvofb.exe" tzjwwfytdjt.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe -
Checks computer location settings 2 TTPs 63 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tzjwwfytdjt.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation erjyvjdvhytfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation arnghzxtjedtnkunqvofb.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation ynhyxnjdrkhvniqhilc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation nbukixslyqmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lbwoofcxmgetmirjlphx.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation xjaokxqhsicncuzn.exe -
Executes dropped EXE 64 IoCs
pid Process 1212 tzjwwfytdjt.exe 3788 erjyvjdvhytfvouji.exe 312 ynhyxnjdrkhvniqhilc.exe 2200 tzjwwfytdjt.exe 3068 erjyvjdvhytfvouji.exe 1824 erjyvjdvhytfvouji.exe 4452 arnghzxtjedtnkunqvofb.exe 5004 tzjwwfytdjt.exe 2112 xjaokxqhsicncuzn.exe 3316 tzjwwfytdjt.exe 1868 erjyvjdvhytfvouji.exe 2796 lbwoofcxmgetmirjlphx.exe 3396 tzjwwfytdjt.exe 3952 ybjobfp.exe 2396 ybjobfp.exe 2380 erjyvjdvhytfvouji.exe 2392 xjaokxqhsicncuzn.exe 1972 lbwoofcxmgetmirjlphx.exe 3336 tzjwwfytdjt.exe 3868 xjaokxqhsicncuzn.exe 4988 lbwoofcxmgetmirjlphx.exe 2896 lbwoofcxmgetmirjlphx.exe 1940 tzjwwfytdjt.exe 3828 erjyvjdvhytfvouji.exe 3024 ynhyxnjdrkhvniqhilc.exe 2456 erjyvjdvhytfvouji.exe 4156 erjyvjdvhytfvouji.exe 3788 lbwoofcxmgetmirjlphx.exe 5032 tzjwwfytdjt.exe 3308 tzjwwfytdjt.exe 4784 tzjwwfytdjt.exe 3920 nbukixslyqmzqkrhhj.exe 3488 arnghzxtjedtnkunqvofb.exe 2504 xjaokxqhsicncuzn.exe 3660 xjaokxqhsicncuzn.exe 4396 lbwoofcxmgetmirjlphx.exe 1664 erjyvjdvhytfvouji.exe 2960 lbwoofcxmgetmirjlphx.exe 4156 xjaokxqhsicncuzn.exe 2780 tzjwwfytdjt.exe 3140 tzjwwfytdjt.exe 4956 erjyvjdvhytfvouji.exe 4984 tzjwwfytdjt.exe 4828 tzjwwfytdjt.exe 5044 erjyvjdvhytfvouji.exe 3888 tzjwwfytdjt.exe 2540 tzjwwfytdjt.exe 3308 xjaokxqhsicncuzn.exe 3328 xjaokxqhsicncuzn.exe 3556 tzjwwfytdjt.exe 1144 nbukixslyqmzqkrhhj.exe 3316 ynhyxnjdrkhvniqhilc.exe 1664 nbukixslyqmzqkrhhj.exe 1988 tzjwwfytdjt.exe 3044 nbukixslyqmzqkrhhj.exe 4700 ynhyxnjdrkhvniqhilc.exe 544 xjaokxqhsicncuzn.exe 4144 tzjwwfytdjt.exe 8 xjaokxqhsicncuzn.exe 3776 lbwoofcxmgetmirjlphx.exe 3272 arnghzxtjedtnkunqvofb.exe 2456 tzjwwfytdjt.exe 1176 ynhyxnjdrkhvniqhilc.exe 4364 xjaokxqhsicncuzn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ybjobfp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ybjobfp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ybjobfp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ybjobfp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ybjobfp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ybjobfp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "ynhyxnjdrkhvniqhilc.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "arnghzxtjedtnkunqvofb.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "erjyvjdvhytfvouji.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "lbwoofcxmgetmirjlphx.exe" ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynhyxnjdrkhvniqhilc.exe" ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe ." ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe ." ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoaufwluiajwm = "ynhyxnjdrkhvniqhilc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "ynhyxnjdrkhvniqhilc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "xjaokxqhsicncuzn.exe ." ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoaufwluiajwm = "xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "arnghzxtjedtnkunqvofb.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "xjaokxqhsicncuzn.exe ." ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "nbukixslyqmzqkrhhj.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "arnghzxtjedtnkunqvofb.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoaufwluiajwm = "xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "ynhyxnjdrkhvniqhilc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "ynhyxnjdrkhvniqhilc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "nbukixslyqmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "lbwoofcxmgetmirjlphx.exe" ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe" ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "ynhyxnjdrkhvniqhilc.exe ." ybjobfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjaokxqhsicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbukixslyqmzqkrhhj.exe" ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe ." ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjaokxqhsicncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "ynhyxnjdrkhvniqhilc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdtgbnfvfunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arnghzxtjedtnkunqvofb.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxlwpzpdlypxj = "ynhyxnjdrkhvniqhilc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdowmtgrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erjyvjdvhytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoaufwluiajwm = "erjyvjdvhytfvouji.exe ." ybjobfp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoaufwluiajwm = "xjaokxqhsicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\szlulthtzkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbwoofcxmgetmirjlphx.exe ." tzjwwfytdjt.exe -
Checks whether UAC is enabled 1 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tzjwwfytdjt.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 whatismyipaddress.com 38 www.whatismyip.ca 48 www.whatismyip.ca 23 whatismyip.everdot.org 24 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe ybjobfp.exe File opened for modification C:\Windows\SysWOW64\bxywczcdyycxwynltdbxyw.zcd ybjobfp.exe File opened for modification C:\Windows\SysWOW64\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bxywczcdyycxwynltdbxyw.zcd ybjobfp.exe File created C:\Program Files (x86)\bxywczcdyycxwynltdbxyw.zcd ybjobfp.exe File opened for modification C:\Program Files (x86)\szlulthtzkzfpcclezipbkbjxjpapvfss.upy ybjobfp.exe File created C:\Program Files (x86)\szlulthtzkzfpcclezipbkbjxjpapvfss.upy ybjobfp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File created C:\Windows\szlulthtzkzfpcclezipbkbjxjpapvfss.upy ybjobfp.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe ybjobfp.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\szlulthtzkzfpcclezipbkbjxjpapvfss.upy ybjobfp.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe ybjobfp.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe ybjobfp.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bxywczcdyycxwynltdbxyw.zcd ybjobfp.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe ybjobfp.exe File created C:\Windows\bxywczcdyycxwynltdbxyw.zcd ybjobfp.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe ybjobfp.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe ybjobfp.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe ybjobfp.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ynhyxnjdrkhvniqhilc.exe ybjobfp.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe ybjobfp.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe ybjobfp.exe File opened for modification C:\Windows\rjgacvurieevqoztxdxpmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\xjaokxqhsicncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\nbukixslyqmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\arnghzxtjedtnkunqvofb.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lbwoofcxmgetmirjlphx.exe tzjwwfytdjt.exe File opened for modification C:\Windows\erjyvjdvhytfvouji.exe tzjwwfytdjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybjobfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tzjwwfytdjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbukixslyqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbwoofcxmgetmirjlphx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnghzxtjedtnkunqvofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynhyxnjdrkhvniqhilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erjyvjdvhytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjaokxqhsicncuzn.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 3952 ybjobfp.exe 3952 ybjobfp.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3952 ybjobfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4320 wrote to memory of 1212 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 91 PID 4320 wrote to memory of 1212 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 91 PID 4320 wrote to memory of 1212 4320 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 91 PID 1444 wrote to memory of 3788 1444 cmd.exe 94 PID 1444 wrote to memory of 3788 1444 cmd.exe 94 PID 1444 wrote to memory of 3788 1444 cmd.exe 94 PID 4404 wrote to memory of 312 4404 cmd.exe 97 PID 4404 wrote to memory of 312 4404 cmd.exe 97 PID 4404 wrote to memory of 312 4404 cmd.exe 97 PID 312 wrote to memory of 2200 312 ynhyxnjdrkhvniqhilc.exe 179 PID 312 wrote to memory of 2200 312 ynhyxnjdrkhvniqhilc.exe 179 PID 312 wrote to memory of 2200 312 ynhyxnjdrkhvniqhilc.exe 179 PID 3792 wrote to memory of 3068 3792 cmd.exe 103 PID 3792 wrote to memory of 3068 3792 cmd.exe 103 PID 3792 wrote to memory of 3068 3792 cmd.exe 103 PID 2660 wrote to memory of 1824 2660 cmd.exe 106 PID 2660 wrote to memory of 1824 2660 cmd.exe 106 PID 2660 wrote to memory of 1824 2660 cmd.exe 106 PID 3920 wrote to memory of 4452 3920 cmd.exe 109 PID 3920 wrote to memory of 4452 3920 cmd.exe 109 PID 3920 wrote to memory of 4452 3920 cmd.exe 109 PID 1824 wrote to memory of 5004 1824 erjyvjdvhytfvouji.exe 110 PID 1824 wrote to memory of 5004 1824 erjyvjdvhytfvouji.exe 110 PID 1824 wrote to memory of 5004 1824 erjyvjdvhytfvouji.exe 110 PID 668 wrote to memory of 2112 668 cmd.exe 111 PID 668 wrote to memory of 2112 668 cmd.exe 111 PID 668 wrote to memory of 2112 668 cmd.exe 111 PID 2112 wrote to memory of 3316 2112 xjaokxqhsicncuzn.exe 214 PID 2112 wrote to memory of 3316 2112 xjaokxqhsicncuzn.exe 214 PID 2112 wrote to memory of 3316 2112 xjaokxqhsicncuzn.exe 214 PID 3128 wrote to memory of 1868 3128 cmd.exe 119 PID 3128 wrote to memory of 1868 3128 cmd.exe 119 PID 3128 wrote to memory of 1868 3128 cmd.exe 119 PID 2440 wrote to memory of 2796 2440 cmd.exe 120 PID 2440 wrote to memory of 2796 2440 cmd.exe 120 PID 2440 wrote to memory of 2796 2440 cmd.exe 120 PID 2796 wrote to memory of 3396 2796 lbwoofcxmgetmirjlphx.exe 121 PID 2796 wrote to memory of 3396 2796 lbwoofcxmgetmirjlphx.exe 121 PID 2796 wrote to memory of 3396 2796 lbwoofcxmgetmirjlphx.exe 121 PID 1212 wrote to memory of 3952 1212 tzjwwfytdjt.exe 124 PID 1212 wrote to memory of 3952 1212 tzjwwfytdjt.exe 124 PID 1212 wrote to memory of 3952 1212 tzjwwfytdjt.exe 124 PID 1212 wrote to memory of 2396 1212 tzjwwfytdjt.exe 125 PID 1212 wrote to memory of 2396 1212 tzjwwfytdjt.exe 125 PID 1212 wrote to memory of 2396 1212 tzjwwfytdjt.exe 125 PID 4420 wrote to memory of 2380 4420 cmd.exe 128 PID 4420 wrote to memory of 2380 4420 cmd.exe 128 PID 4420 wrote to memory of 2380 4420 cmd.exe 128 PID 3812 wrote to memory of 2392 3812 cmd.exe 133 PID 3812 wrote to memory of 2392 3812 cmd.exe 133 PID 3812 wrote to memory of 2392 3812 cmd.exe 133 PID 744 wrote to memory of 1972 744 cmd.exe 134 PID 744 wrote to memory of 1972 744 cmd.exe 134 PID 744 wrote to memory of 1972 744 cmd.exe 134 PID 2392 wrote to memory of 3336 2392 xjaokxqhsicncuzn.exe 140 PID 2392 wrote to memory of 3336 2392 xjaokxqhsicncuzn.exe 140 PID 2392 wrote to memory of 3336 2392 xjaokxqhsicncuzn.exe 140 PID 4620 wrote to memory of 3868 4620 cmd.exe 343 PID 4620 wrote to memory of 3868 4620 cmd.exe 343 PID 4620 wrote to memory of 3868 4620 cmd.exe 343 PID 3116 wrote to memory of 4988 3116 cmd.exe 320 PID 3116 wrote to memory of 4988 3116 cmd.exe 320 PID 3116 wrote to memory of 4988 3116 cmd.exe 320 PID 3100 wrote to memory of 2896 3100 cmd.exe 161 -
System policy modification 1 TTPs 53 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ybjobfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ybjobfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c5053b6a278897cf8629be4ba93b3030.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\ybjobfp.exe"C:\Users\Admin\AppData\Local\Temp\ybjobfp.exe" "-C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\ybjobfp.exe"C:\Users\Admin\AppData\Local\Temp\ybjobfp.exe" "-C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵
- Executes dropped EXE
PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵
- Executes dropped EXE
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:3316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵
- Executes dropped EXE
PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵
- Executes dropped EXE
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵
- Executes dropped EXE
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:3876
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:4968
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵
- Executes dropped EXE
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵
- Executes dropped EXE
PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵
- Executes dropped EXE
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵
- Executes dropped EXE
PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵
- Executes dropped EXE
PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:1456
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:3724
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:1748
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:2200
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵
- Executes dropped EXE
PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:208
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵
- Executes dropped EXE
PID:3316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:2812
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵
- Executes dropped EXE
PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:4984
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4860
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵
- Executes dropped EXE
PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵
- Executes dropped EXE
PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵
- Executes dropped EXE
PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:448
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵
- Executes dropped EXE
PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:2836
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵
- Executes dropped EXE
PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:2700
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:3536
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:1796
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4628
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:1624
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:456
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:1784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:1824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:312 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:3064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1664
-
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:2544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3556
-
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:2636
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:2116
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:908 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:4396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:3920
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:2328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:800
-
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:5000
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:4168
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:684
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:3848
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:2412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3920
-
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:4104
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:116 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:1080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:3900
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:4036
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:1984
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:376
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:4400
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:3868
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:2780
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4208
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:4204
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2812
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:1868
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:1792
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:384 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:1204
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:4052
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:1904
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:1852
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:1704
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:1984
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:3584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2692
-
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2112
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵
- Checks computer location settings
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:4500
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4596
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:3660
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:1144
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵
- Checks computer location settings
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:2676
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2176
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:2780
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:3108
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:3584
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:2620
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:4236
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:4564
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:1784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:1916
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:4212
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:3724
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:4448
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:2112
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:4040
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:2812
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2512
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:1396
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4980
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3536
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:1744
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:1904
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:3184
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:2468
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:812
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4636
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3536
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2812
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:736
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:3584
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:1864
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:4844
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:2620
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:3260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5336
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5464
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5564
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5644
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:2604
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:4364
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:1552
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:1276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:3724
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:528
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:4812
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:5324
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:5556
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:3060
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:3848
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:1936
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:2780
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:5312
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:2388
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:4984
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:2376
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3868
-
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:5840
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:5820
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:5916
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:3720
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5988
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:2416
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:1276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:5180
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2832
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:728
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:3608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4420
-
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:1072
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:5068
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:3184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:5448
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:1748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2260
-
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:5624
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5684
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:452
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2904
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:2200
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:5216
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:816
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:5796
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:700
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:1584
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:5788
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5760
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:376
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:3872
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:4628
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:536
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:216
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5804
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:3192
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5980
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:5264
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:5356
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:4396
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:4236
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:3720
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:812
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:3308
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:5436
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:5168
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:5352
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe .1⤵PID:800
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:5212
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:4584
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:5764
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2116
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:5216
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:2832
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:4948
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:4920
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:2256
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:2456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:908
-
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:5876
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:1600
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:5456
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5824
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe2⤵PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe2⤵PID:4020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:5436
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5360
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe1⤵PID:4992
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5412
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:4656
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:4348
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5792
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:5868
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exeC:\Users\Admin\AppData\Local\Temp\xjaokxqhsicncuzn.exe .2⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\xjaokxqhsicncuzn.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:5264
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe .1⤵PID:1740
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\erjyvjdvhytfvouji.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3184
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:6136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1868
-
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\nbukixslyqmzqkrhhj.exe .2⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\nbukixslyqmzqkrhhj.exe*."3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\erjyvjdvhytfvouji.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5680
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:4472
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erjyvjdvhytfvouji.exe1⤵PID:5516
-
C:\Windows\erjyvjdvhytfvouji.exeerjyvjdvhytfvouji.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe1⤵PID:1400
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5296
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjaokxqhsicncuzn.exe .1⤵PID:5284
-
C:\Windows\xjaokxqhsicncuzn.exexjaokxqhsicncuzn.exe .2⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\xjaokxqhsicncuzn.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynhyxnjdrkhvniqhilc.exe1⤵PID:5948
-
C:\Windows\ynhyxnjdrkhvniqhilc.exeynhyxnjdrkhvniqhilc.exe2⤵PID:5840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:5272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exeC:\Users\Admin\AppData\Local\Temp\ynhyxnjdrkhvniqhilc.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ynhyxnjdrkhvniqhilc.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3336
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe .1⤵PID:5900
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\arnghzxtjedtnkunqvofb.exe*."3⤵PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:2036
-
C:\Windows\nbukixslyqmzqkrhhj.exenbukixslyqmzqkrhhj.exe .2⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\nbukixslyqmzqkrhhj.exe*."3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arnghzxtjedtnkunqvofb.exe1⤵PID:2356
-
C:\Windows\arnghzxtjedtnkunqvofb.exearnghzxtjedtnkunqvofb.exe2⤵PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe .1⤵PID:5496
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe .2⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lbwoofcxmgetmirjlphx.exe*."3⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exeC:\Users\Admin\AppData\Local\Temp\arnghzxtjedtnkunqvofb.exe .2⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\arnghzxtjedtnkunqvofb.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe .2⤵PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe1⤵PID:5044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exeC:\Users\Admin\AppData\Local\Temp\erjyvjdvhytfvouji.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .1⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exeC:\Users\Admin\AppData\Local\Temp\lbwoofcxmgetmirjlphx.exe .2⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lbwoofcxmgetmirjlphx.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbwoofcxmgetmirjlphx.exe1⤵PID:3532
-
C:\Windows\lbwoofcxmgetmirjlphx.exelbwoofcxmgetmirjlphx.exe2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbukixslyqmzqkrhhj.exe .1⤵PID:368
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD52f928aff9af7ac3cb284e67f5c1c5261
SHA11fcc5ec50fc42abe42b3d6dcaa081039084e206d
SHA25694b924af7cbdcd09a496179c3d3f9555b24771c61fb146423aeca3e1fe09ffb0
SHA512addff22753ceedd6b0930b67b994f268761ef5fe473b6a9c9b80c86644491e603c067d56c9dc41bfb865f11e26d44bca16710a771cd14c3d5c378acd608bcfc7
-
Filesize
272B
MD5c6df609f588150e632545ef811066a81
SHA16a1d4a21d1e550312c2972740fba81f6c948dad6
SHA256911ef5449c42bbb409923c33879b9c56c5a2c331d6bd98b9c87d6b1b856f025c
SHA512a5cd9fa744b6ff65ca4630078cdb47a9c90e0b0bd1498b1b77876e2d2b8de8142962a4a058c19186175996a68382ba937f038df67e5eb913bd9cc30d29c2ab2a
-
Filesize
272B
MD5b6226acd277e11b270d0ce92547db2bc
SHA1ae5be48eb6c8a59d4971eaf43cd0503ae7d0ea9e
SHA25659ab618d3b2860e58804c683babf5145da34731e09b0699662ffb78fdaea5533
SHA512428f4c0737c30550fadee11ab7da9aa9538427aa5708d8aadaa5d677d0c3a4e8f2d2a52d4cec4c17fc0a656088bc5c495a2a6bfc07375a04ba64d225e2240235
-
Filesize
272B
MD54bbbdb5128b5ff16636a69594ec9247c
SHA15fe287ab963ae9dee57320826cc6a1b10b3bd1a3
SHA256dfc439b636ce4f05ee5ebe587b60edf1607c5bbe3d941bc13d3f324fe7434de3
SHA51232f23b217af1de7f6cb5165a32c669afcd1cefa8d33946b7f2d429f6ca62a723a4d4229a5045fd926871c27a92f4507edce7c65444b51308f77d9bb9abe12075
-
Filesize
272B
MD5145c65c46599f8131f7f4cd80f0ddd9c
SHA1c34d1d80eb83fd7cab6444f096aaf421c38c574f
SHA256dcc822430efcc46305d4aad63bf00d65089f2999ef690cbe4c99dbd64f725ff5
SHA5129374fe7591e9f4437364ea9c2cff862418fe17bf54a4c226904e7791ea629d3706af600606a098c304a751738e5055039b9a33a55987d2e4ab24b224ab6773b7
-
Filesize
272B
MD5bcce051788926df4f2fbc6b81c81033b
SHA162f25ee2289ec7e0249ec1aeabe7a946ad45bb2e
SHA2565ec69ebb119336b07cad22071f9b8aeadfeb84b30cc892c3137c80065d13a853
SHA512e4812cc9d2280a816a9ef0409f976333fc66953fadbe6b21637dd7a2ca8f501a3b100099f6cc5d022fe981a594c10cdb6f5be08e79c74991000eee8bbabda446
-
Filesize
272B
MD5c74bf3fffd1b8d4db7aaa08ba52b31f4
SHA1c398bd3c14090c93ebda8462d00c8bdf6fed1b9d
SHA256c275eae415fc9bfb76c4dd6c041f48ad7eb002ff253d63cc046b78dfe75c386f
SHA51254c1e3c66a74cfca74357cd50376843f66126f97fc82df1aac718f5ffeea5c989357e3581900d7d341eda0b9a710b607d380f4b9fff3b4b962579961742f12ef
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
724KB
MD5e092a57be3f88162868fce94629ffd6a
SHA14d95e706bd2765e5ad01e412839604d5e7e4db19
SHA2564d74ae58c6eb320dd7e560ef5a3a6bdff653b3eedeb7334dd8e2a4eabc7e1e6c
SHA51204bdc301a1735852ff2a354248665895e6de941ad5788598f753fd4a08d7a18685e924664d46a73da5ccdced6f4f2ba3d26af2c0901f5f456720b55d2f6a6ea0
-
Filesize
272B
MD5a381a0d98b7f5db426fa9ac23dc5f96c
SHA1c90e011684ec8a57dffec6ecdd0ae4f7889c6aae
SHA25688b6bc31c67723e4e59cf2a8c029284485b3de738d24aa5462347c546626a2ea
SHA512d9763bfdd5f4061293b55f2b292c0e4d5caeb7f316ac179506071de7bebcd714e7c62113ab3ed860dc57e5f52e89103d7aac073050eb8957e241d175489d1330
-
Filesize
3KB
MD599caa1f96043b9786880e08f4a24bd62
SHA11f25788e6bd360c41aed414e5cc1f3ffba66460d
SHA256a92c8df9eeee520299cce237a8b1cdcde13de1ea4eb5bea02dc180a55cf8fa38
SHA512bb257ce85a14581117e539d4a48d6a945c7b2cc7dc180902cce240484038b58c8b787db645e19d3b4e89b24ac530811ef1e3f0b772ef33fc9aa32295a3ec91b1
-
Filesize
896KB
MD5c5053b6a278897cf8629be4ba93b3030
SHA18bbc4116b965c3546d3d52d2d90eca8d5979901f
SHA25625513f2b017ee242a254117f14ff49bb55f034a64265724e8e76d49a696b2d60
SHA51215b961286782c54d9bc04722679570afea0112facc107e17669c4cd4ea9695c198d312d91019275b850214f6b116fd88d5531b23555f364e6d0200ea1cdbe617