Analysis
-
max time kernel
24s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/04/2025, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe
-
Size
896KB
-
MD5
c5053b6a278897cf8629be4ba93b3030
-
SHA1
8bbc4116b965c3546d3d52d2d90eca8d5979901f
-
SHA256
25513f2b017ee242a254117f14ff49bb55f034a64265724e8e76d49a696b2d60
-
SHA512
15b961286782c54d9bc04722679570afea0112facc107e17669c4cd4ea9695c198d312d91019275b850214f6b116fd88d5531b23555f364e6d0200ea1cdbe617
-
SSDEEP
6144:ej6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionQn:k6onxOp8FySpE5zvIdtU+YmefUn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe -
Pykspa family
-
UAC bypass 3 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001000000002ad10-4.dat family_pykspa behavioral2/files/0x001900000002b22f-90.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "brnztpdpkbmmnordn.exe" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "kbylgdsfbtfgikobme.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brnztpdpkbmmnordn.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "ibapmlcrpjxaeiodqkdc.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "ujepidqbvlvuuuwh.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "kbylgdsfbtfgikobme.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brnztpdpkbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "ibapmlcrpjxaeiodqkdc.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "ibapmlcrpjxaeiodqkdc.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibapmlcrpjxaeiodqkdc.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "brnztpdpkbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krehsfkn = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbllt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brnztpdpkbmmnordn.exe" sxrmhekochb.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe -
Executes dropped EXE 64 IoCs
pid Process 4408 sxrmhekochb.exe 6024 ujepidqbvlvuuuwh.exe 3324 xrrhffxnmhwafkrhvqkka.exe 5788 sxrmhekochb.exe 4816 xrrhffxnmhwafkrhvqkka.exe 4684 kbylgdsfbtfgikobme.exe 248 kbylgdsfbtfgikobme.exe 3384 sxrmhekochb.exe 4204 ibapmlcrpjxaeiodqkdc.exe 2988 sxrmhekochb.exe 1236 vnlzvtjxunacfinbngy.exe 396 vnlzvtjxunacfinbngy.exe 3000 sxrmhekochb.exe 5464 vbnpzlp.exe 5752 vbnpzlp.exe 1232 ibapmlcrpjxaeiodqkdc.exe 1508 kbylgdsfbtfgikobme.exe 5556 xrrhffxnmhwafkrhvqkka.exe 5672 ibapmlcrpjxaeiodqkdc.exe 3572 sxrmhekochb.exe 960 sxrmhekochb.exe 2936 ibapmlcrpjxaeiodqkdc.exe 3880 brnztpdpkbmmnordn.exe 1820 ujepidqbvlvuuuwh.exe 5952 vnlzvtjxunacfinbngy.exe 1808 kbylgdsfbtfgikobme.exe 1152 sxrmhekochb.exe 4904 ujepidqbvlvuuuwh.exe 4916 ujepidqbvlvuuuwh.exe 5236 sxrmhekochb.exe 1552 ujepidqbvlvuuuwh.exe 464 sxrmhekochb.exe 5248 kbylgdsfbtfgikobme.exe 4952 sxrmhekochb.exe 1376 kbylgdsfbtfgikobme.exe 724 vnlzvtjxunacfinbngy.exe 5932 kbylgdsfbtfgikobme.exe 6076 sxrmhekochb.exe 2080 sxrmhekochb.exe 1488 brnztpdpkbmmnordn.exe 6088 kbylgdsfbtfgikobme.exe 2300 sxrmhekochb.exe 3992 xrrhffxnmhwafkrhvqkka.exe 1900 ibapmlcrpjxaeiodqkdc.exe 5416 sxrmhekochb.exe 2324 vnlzvtjxunacfinbngy.exe 4440 vnlzvtjxunacfinbngy.exe 4264 sxrmhekochb.exe 1416 vnlzvtjxunacfinbngy.exe 2828 vnlzvtjxunacfinbngy.exe 3996 sxrmhekochb.exe 5732 vnlzvtjxunacfinbngy.exe 5048 ujepidqbvlvuuuwh.exe 5564 brnztpdpkbmmnordn.exe 1940 sxrmhekochb.exe 6108 vnlzvtjxunacfinbngy.exe 4356 vnlzvtjxunacfinbngy.exe 2580 vnlzvtjxunacfinbngy.exe 5960 brnztpdpkbmmnordn.exe 3392 sxrmhekochb.exe 5032 sxrmhekochb.exe 2668 xrrhffxnmhwafkrhvqkka.exe 4548 vnlzvtjxunacfinbngy.exe 1392 xrrhffxnmhwafkrhvqkka.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vbnpzlp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vbnpzlp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vbnpzlp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vbnpzlp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vbnpzlp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vbnpzlp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "ujepidqbvlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "brnztpdpkbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "ujepidqbvlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brnztpdpkbmmnordn.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "ibapmlcrpjxaeiodqkdc.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe ." vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "brnztpdpkbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "brnztpdpkbmmnordn.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brnztpdpkbmmnordn.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "kbylgdsfbtfgikobme.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "vnlzvtjxunacfinbngy.exe ." vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "xrrhffxnmhwafkrhvqkka.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "ibapmlcrpjxaeiodqkdc.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe ." vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "ujepidqbvlvuuuwh.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "ibapmlcrpjxaeiodqkdc.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "brnztpdpkbmmnordn.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "ujepidqbvlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe ." vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "ibapmlcrpjxaeiodqkdc.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "brnztpdpkbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "vnlzvtjxunacfinbngy.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "kbylgdsfbtfgikobme.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzpvjzhncns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibapmlcrpjxaeiodqkdc.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "ujepidqbvlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujepidqbvlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\udsxkzglzj = "vnlzvtjxunacfinbngy.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxovkbkrhtzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbylgdsfbtfgikobme.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "xrrhffxnmhwafkrhvqkka.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "ibapmlcrpjxaeiodqkdc.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "vnlzvtjxunacfinbngy.exe" vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "ujepidqbvlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjxbnbhly = "ibapmlcrpjxaeiodqkdc.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe ." vbnpzlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "xrrhffxnmhwafkrhvqkka.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\inyzit = "brnztpdpkbmmnordn.exe" vbnpzlp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlzvtjxunacfinbngy.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\inyzit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrhffxnmhwafkrhvqkka.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnpzlp = "brnztpdpkbmmnordn.exe ." sxrmhekochb.exe -
Checks whether UAC is enabled 1 TTPs 26 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbnpzlp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vbnpzlp.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.whatismyip.ca 1 whatismyipaddress.com 1 www.showmyipaddress.com 1 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ojkbabullhxciowncytulk.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File created C:\Windows\SysWOW64\pdxhztfpixgedcdnvkyscuoakdsbzyxyiqftn.pjv vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\xrrhffxnmhwafkrhvqkka.exe vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\ibapmlcrpjxaeiodqkdc.exe vbnpzlp.exe File created C:\Windows\SysWOW64\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe File opened for modification C:\Windows\SysWOW64\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe File created C:\Program Files (x86)\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe File opened for modification C:\Program Files (x86)\pdxhztfpixgedcdnvkyscuoakdsbzyxyiqftn.pjv vbnpzlp.exe File created C:\Program Files (x86)\pdxhztfpixgedcdnvkyscuoakdsbzyxyiqftn.pjv vbnpzlp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe vbnpzlp.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe vbnpzlp.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe vbnpzlp.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File created C:\Windows\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe vbnpzlp.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe vbnpzlp.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe vbnpzlp.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe vbnpzlp.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\pdxhztfpixgedcdnvkyscuoakdsbzyxyiqftn.pjv vbnpzlp.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\ibapmlcrpjxaeiodqkdc.exe sxrmhekochb.exe File opened for modification C:\Windows\brnztpdpkbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\ojkbabullhxciowncytulk.exe sxrmhekochb.exe File opened for modification C:\Windows\kbylgdsfbtfgikobme.exe vbnpzlp.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe sxrmhekochb.exe File opened for modification C:\Windows\ujepidqbvlvuuuwh.exe vbnpzlp.exe File opened for modification C:\Windows\vnlzvtjxunacfinbngy.exe sxrmhekochb.exe File opened for modification C:\Windows\xrrhffxnmhwafkrhvqkka.exe vbnpzlp.exe File opened for modification C:\Windows\orazgpqpxbzmaoedaehqpwfgfn.pcq vbnpzlp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbnpzlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxrmhekochb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibapmlcrpjxaeiodqkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbylgdsfbtfgikobme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlzvtjxunacfinbngy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnztpdpkbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujepidqbvlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrhffxnmhwafkrhvqkka.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 5464 vbnpzlp.exe 5464 vbnpzlp.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 5464 vbnpzlp.exe 5464 vbnpzlp.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5464 vbnpzlp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4408 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 786 PID 2248 wrote to memory of 4408 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 786 PID 2248 wrote to memory of 4408 2248 JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe 786 PID 2264 wrote to memory of 6024 2264 cmd.exe 88 PID 2264 wrote to memory of 6024 2264 cmd.exe 88 PID 2264 wrote to memory of 6024 2264 cmd.exe 88 PID 2168 wrote to memory of 3324 2168 cmd.exe 91 PID 2168 wrote to memory of 3324 2168 cmd.exe 91 PID 2168 wrote to memory of 3324 2168 cmd.exe 91 PID 3324 wrote to memory of 5788 3324 xrrhffxnmhwafkrhvqkka.exe 92 PID 3324 wrote to memory of 5788 3324 xrrhffxnmhwafkrhvqkka.exe 92 PID 3324 wrote to memory of 5788 3324 xrrhffxnmhwafkrhvqkka.exe 92 PID 1912 wrote to memory of 4816 1912 cmd.exe 903 PID 1912 wrote to memory of 4816 1912 cmd.exe 903 PID 1912 wrote to memory of 4816 1912 cmd.exe 903 PID 5124 wrote to memory of 4684 5124 cmd.exe 98 PID 5124 wrote to memory of 4684 5124 cmd.exe 98 PID 5124 wrote to memory of 4684 5124 cmd.exe 98 PID 6052 wrote to memory of 248 6052 cmd.exe 905 PID 6052 wrote to memory of 248 6052 cmd.exe 905 PID 6052 wrote to memory of 248 6052 cmd.exe 905 PID 4684 wrote to memory of 3384 4684 kbylgdsfbtfgikobme.exe 357 PID 4684 wrote to memory of 3384 4684 kbylgdsfbtfgikobme.exe 357 PID 4684 wrote to memory of 3384 4684 kbylgdsfbtfgikobme.exe 357 PID 4216 wrote to memory of 4204 4216 cmd.exe 923 PID 4216 wrote to memory of 4204 4216 cmd.exe 923 PID 4216 wrote to memory of 4204 4216 cmd.exe 923 PID 4204 wrote to memory of 2988 4204 ibapmlcrpjxaeiodqkdc.exe 879 PID 4204 wrote to memory of 2988 4204 ibapmlcrpjxaeiodqkdc.exe 879 PID 4204 wrote to memory of 2988 4204 ibapmlcrpjxaeiodqkdc.exe 879 PID 3360 wrote to memory of 1236 3360 cmd.exe 792 PID 3360 wrote to memory of 1236 3360 cmd.exe 792 PID 3360 wrote to memory of 1236 3360 cmd.exe 792 PID 5548 wrote to memory of 396 5548 cmd.exe 826 PID 5548 wrote to memory of 396 5548 cmd.exe 826 PID 5548 wrote to memory of 396 5548 cmd.exe 826 PID 396 wrote to memory of 3000 396 vnlzvtjxunacfinbngy.exe 455 PID 396 wrote to memory of 3000 396 vnlzvtjxunacfinbngy.exe 455 PID 396 wrote to memory of 3000 396 vnlzvtjxunacfinbngy.exe 455 PID 4408 wrote to memory of 5464 4408 sxrmhekochb.exe 114 PID 4408 wrote to memory of 5464 4408 sxrmhekochb.exe 114 PID 4408 wrote to memory of 5464 4408 sxrmhekochb.exe 114 PID 4408 wrote to memory of 5752 4408 sxrmhekochb.exe 115 PID 4408 wrote to memory of 5752 4408 sxrmhekochb.exe 115 PID 4408 wrote to memory of 5752 4408 sxrmhekochb.exe 115 PID 1764 wrote to memory of 1232 1764 cmd.exe 120 PID 1764 wrote to memory of 1232 1764 cmd.exe 120 PID 1764 wrote to memory of 1232 1764 cmd.exe 120 PID 1752 wrote to memory of 1508 1752 cmd.exe 921 PID 1752 wrote to memory of 1508 1752 cmd.exe 921 PID 1752 wrote to memory of 1508 1752 cmd.exe 921 PID 5184 wrote to memory of 5556 5184 cmd.exe 124 PID 5184 wrote to memory of 5556 5184 cmd.exe 124 PID 5184 wrote to memory of 5556 5184 cmd.exe 124 PID 2832 wrote to memory of 5672 2832 cmd.exe 127 PID 2832 wrote to memory of 5672 2832 cmd.exe 127 PID 2832 wrote to memory of 5672 2832 cmd.exe 127 PID 5556 wrote to memory of 3572 5556 xrrhffxnmhwafkrhvqkka.exe 128 PID 5556 wrote to memory of 3572 5556 xrrhffxnmhwafkrhvqkka.exe 128 PID 5556 wrote to memory of 3572 5556 xrrhffxnmhwafkrhvqkka.exe 128 PID 5672 wrote to memory of 960 5672 ibapmlcrpjxaeiodqkdc.exe 131 PID 5672 wrote to memory of 960 5672 ibapmlcrpjxaeiodqkdc.exe 131 PID 5672 wrote to memory of 960 5672 ibapmlcrpjxaeiodqkdc.exe 131 PID 3092 wrote to memory of 2936 3092 cmd.exe 132 -
System policy modification 1 TTPs 56 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vbnpzlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vbnpzlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vbnpzlp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5053b6a278897cf8629be4ba93b3030.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c5053b6a278897cf8629be4ba93b3030.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\vbnpzlp.exe"C:\Users\Admin\AppData\Local\Temp\vbnpzlp.exe" "-C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5464
-
-
C:\Users\Admin\AppData\Local\Temp\vbnpzlp.exe"C:\Users\Admin\AppData\Local\Temp\vbnpzlp.exe" "-C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵
- Executes dropped EXE
PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵
- Executes dropped EXE
PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵
- Executes dropped EXE
PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵
- Executes dropped EXE
PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵
- Executes dropped EXE
PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵
- Executes dropped EXE
PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:1512
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:2656
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵
- Executes dropped EXE
PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:6044
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵
- Executes dropped EXE
PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵
- Executes dropped EXE
PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵
- Executes dropped EXE
PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:3024
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:4500
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵
- Executes dropped EXE
PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:5996
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵
- Executes dropped EXE
PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4004
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵
- Executes dropped EXE
PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵
- Executes dropped EXE
PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:5592
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:2368
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:2516
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵
- Executes dropped EXE
PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:5736
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:572
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵
- Executes dropped EXE
PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:2824
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵
- Executes dropped EXE
PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:5952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4332
-
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵
- Executes dropped EXE
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:3880
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:2408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1808
-
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵
- Executes dropped EXE
PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5040
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:3136
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:4980
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:1308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:708
-
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:1044
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:4032
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:2876
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:4656
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:5056
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1404
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:1524
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4696
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:4672
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:2304
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:3768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1488
-
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:5996
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:2088
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:1092
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:5468
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:4032
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:72
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:2252
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5736
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:4904
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5628
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:5156
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:676
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:2096
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:5968
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:4816
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3000
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:4216
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:1888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:3452
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:6000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:1864
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:2712
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:5760
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:3560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:2832
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:4732
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:3144
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:5368
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:5396
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:648
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2292
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:4780
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:5708
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:4304
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2268
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:1872
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:5108
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:2420
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:2580
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:3664
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:4412
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:1944
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:6052
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:2212
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:4924
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:4604
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2276
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:5840
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:892
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:4580
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:4100
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:3648
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:2740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4356
-
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:5152
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5476
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:5608
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:1368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:3536
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:1232
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:2828
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:2696
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:5832
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:5328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:2824
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:1288
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:1512
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:412
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:4640
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2492
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5932
-
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:2460
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:132
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:788
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:1236
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:3708
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:3152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:3992
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:6064
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2232
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:5720
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:6036
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:4640
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:2004
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:2988
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:4352
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:4628
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:4816
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:2348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2220
-
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:3012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:3148
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:3916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:2876
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1180
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:4972
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2752
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:3452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3392
-
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:1956
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:4952
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:3312
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:4888
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:4244
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3612
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:2176
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:1912
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:5012
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:2928
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:2336
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:1032
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:5724
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:5428
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:1600
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2476
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:1648
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:4904
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:72
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:2408
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5236
-
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:904
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:2792
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2816
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:1824
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:4816
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:5376
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:4456
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:960
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:1820
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:3512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:5004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5720
-
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:2492
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:2776
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:1048
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5104
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:3564
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3612
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:5168
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:3092
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:5388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:5408
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:3708
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:3768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5320
-
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:2092
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:1648
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:2848
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:4568
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:4020
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:4724
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:5608
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5104
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:3248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:2472
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:4452
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:4100
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:904
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe .1⤵PID:392
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:1232
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:5616
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:5388
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:5712
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\xrrhffxnmhwafkrhvqkka.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:3668
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:3132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:4952
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe1⤵PID:2988
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe2⤵PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe .1⤵PID:4872
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe .2⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\vnlzvtjxunacfinbngy.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\vnlzvtjxunacfinbngy.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrhffxnmhwafkrhvqkka.exe1⤵PID:3828
-
C:\Windows\xrrhffxnmhwafkrhvqkka.exexrrhffxnmhwafkrhvqkka.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:3248
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:2792
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe .1⤵PID:4904
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ujepidqbvlvuuuwh.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe .2⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5620
-
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:3556
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe1⤵PID:1320
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe2⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:4576
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:560
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:1548
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe1⤵PID:4592
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibapmlcrpjxaeiodqkdc.exe .1⤵PID:2516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5972
-
-
C:\Windows\ibapmlcrpjxaeiodqkdc.exeibapmlcrpjxaeiodqkdc.exe .2⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\ibapmlcrpjxaeiodqkdc.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exeC:\Users\Admin\AppData\Local\Temp\ibapmlcrpjxaeiodqkdc.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\kbylgdsfbtfgikobme.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exeC:\Users\Admin\AppData\Local\Temp\vnlzvtjxunacfinbngy.exe2⤵PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:2680
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnztpdpkbmmnordn.exe .1⤵PID:5812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5004
-
-
C:\Windows\brnztpdpkbmmnordn.exebrnztpdpkbmmnordn.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brnztpdpkbmmnordn.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujepidqbvlvuuuwh.exe1⤵PID:1088
-
C:\Windows\ujepidqbvlvuuuwh.exeujepidqbvlvuuuwh.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbylgdsfbtfgikobme.exe .1⤵PID:4228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1940
-
-
C:\Windows\kbylgdsfbtfgikobme.exekbylgdsfbtfgikobme.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\kbylgdsfbtfgikobme.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exeC:\Users\Admin\AppData\Local\Temp\kbylgdsfbtfgikobme.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\ujepidqbvlvuuuwh.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\ujepidqbvlvuuuwh.exe*."3⤵PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exeC:\Users\Admin\AppData\Local\Temp\xrrhffxnmhwafkrhvqkka.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\brnztpdpkbmmnordn.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brnztpdpkbmmnordn.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlzvtjxunacfinbngy.exe1⤵PID:4808
-
C:\Windows\vnlzvtjxunacfinbngy.exevnlzvtjxunacfinbngy.exe2⤵PID:3980
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD52ceb8c2b9f6411c3859457323b3be4f0
SHA14f5b16361b59804eb3db706b3691842f3e1fe962
SHA2567a00f14c0b3a667f0ae0266c04a5905e309348e25b799d42e49c9991e88e9175
SHA5127044695c821571ed08175fb1ff003054171c3fe1a7b648204013df501bcdd22172c8eb291bf261c3085ec983c3d045472b66b9782f4be31043e1260f5ccb09cb
-
Filesize
272B
MD535ca5f5d7fb9b3881211404a5bcd1ae7
SHA14fa68148279af21f0a4c9457b48cc5ceb73925d5
SHA2561ac20961224e6bf378974400419578bcc58db2553aaa6ca7a9a5ef3d1710908e
SHA5123eb2d18ee87dec05d68592b5a9b7f5bd1ffb25056e893d40349b9b973f6389dc894a49709c1e427695ea413bd659ff1f7611abb96c0be39d2da39a97880a3b30
-
Filesize
272B
MD5f75bd238a69da92aa9d828b5add77b16
SHA1d6e0ac7a976f5d7baf7aaf2328958b215fe22ada
SHA256f0f242855da9ac32f9d40cb195384e4ed5c8bc2760e4ea078d45d6c89849328c
SHA5125c1dee8215aff6682fc56f477d60616f873e845c7afb178753356c46053f57063bfe66de667efc941fb2ea34e4713b5357370cfe47d3c8379c8321b98639e4a2
-
Filesize
272B
MD572509ae66b1c311886c88e48e07bd60c
SHA1ae607733faf17d4f233b51abb10b528935804fe9
SHA256bd4f6caf57562d227f6ab767f80f71cfe8c615b3c651c8590a20bf45891195a8
SHA512bb9744b126304fc63e3103bb02d4f37e0b7a5cc9dc41e716f5b99df5079368dfc98655388608de071d5283439aa19d7c55b46875bac10afdc5fcd5ae489684a6
-
Filesize
272B
MD596beb14f11b16d46ee729f3ab44d2a9b
SHA1b8fd067bc4698ee28c9d69822c4e2d3cea0ca6f9
SHA2567ef18932bbfeeed7f27f54a7960a7d68bd1796071812551440b17809c52be3ac
SHA5121972eee210fda633eae191ee29e5fb9a125b3bad2c6374a40306c1f54988fb6bd7ba9f9360750dead54ff3d6b830bf0e94e30df1b1261f5789f74d2cdaa897a1
-
Filesize
272B
MD593f0751122c8e215a2fc83eb68b29583
SHA1a94f0abb11402ae77577885708d299420238d1e3
SHA256092a0f9aa80f5aeb022ac714db339d9745d4d264d7c2fe4c9affb20c38e265fe
SHA51230331c658a51ea5e412b4328156f44a3e46faf4649a3003c90faf85ff21b8f88e865761f1677a7d5daa02235fc89a350bf8557507100a5fed93add715a715348
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
700KB
MD590db20a22234f853f50dda6ae0686b57
SHA14c4d1139eccdba2efee2c8bac21879650dd53c08
SHA2561d74a1bc45d05ef50a7f433b3c1870df34acd1c802f51b10bb778c38810123bb
SHA51258a5cd82435c50fe54637df45fa9e1647ca1b127b9fa2c06f621d443331543715797299bcb7fec76eaaeee71e6227f954658437a7f5e2871f01b36403b3ff2dd
-
Filesize
272B
MD5fc611751f4addef07c8cceb6a27c3bad
SHA1fe7469e503744211849bfd177a194f6029358f61
SHA256cbc731d6e9e59ed69484b2d3a515a9874b492021fb5ae04f6550a69b2c511485
SHA51252283945e23c959a8ef2f1de07d6aa00213db3a24d6db5120e9c5e3c001940a6e8b6ba2649d3807943f148dcbdf78f49e0472416673623d41bb7a1303f7f210e
-
Filesize
272B
MD5433e2375996643db4b0b4dc1b95842d2
SHA1148f8cb06353bb6da6c229e0fabd09285d9f3e06
SHA2565225c639a20bd6cc41e9f9342a46316028b049ec7780037db1be8ad436bad7b2
SHA512d64342f931db8128e1c1d08c47c5d4aa4ce8cd4990f32063cc8bf3e89c49352e96da6b1b32a8af4f49dc95605bd7cc04143d3646108284097ef68be90d5c0f44
-
Filesize
3KB
MD52dcdc111f9aafe9ef692a7b077fbf111
SHA1010d6d853d5ea9743d761eecb5b5cd82396d8167
SHA2564ac5d1ad1a630c79f87fdfaf37ae1f726b1d11078f4c036a0c6c2ea551286d0e
SHA5128d675261c88a04900904112f51e04adfd725c1dd1ff437272c673f39cf9935ffcc896560179ad7db84bcd97fd1a4a26d89ae6dcd3175aedf15ef5ce68369d733
-
Filesize
896KB
MD5c5053b6a278897cf8629be4ba93b3030
SHA18bbc4116b965c3546d3d52d2d90eca8d5979901f
SHA25625513f2b017ee242a254117f14ff49bb55f034a64265724e8e76d49a696b2d60
SHA51215b961286782c54d9bc04722679570afea0112facc107e17669c4cd4ea9695c198d312d91019275b850214f6b116fd88d5531b23555f364e6d0200ea1cdbe617