Analysis
-
max time kernel
49s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
-
Size
636KB
-
MD5
c80bb333a03aefa2ebc92b2d4851eaed
-
SHA1
e8f4a6c6537522d8c9e187f4cc2ae47252c39e6f
-
SHA256
26aa0051cdca76b6fea6ef46de623fc60b21b3adcb3100e3366ab638fe9c3a38
-
SHA512
5a2d9a4c626761a0b9ce6eca4d21453a35ea91d29a17a7ebef69d0cccf7dd86accc8ed395437578e329e6aea98dd6cb05c02a7b53ffb8014400f11a6041da4f9
-
SSDEEP
12288:2pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsbS5jjcS5jA:2pUNr6YkVRFkgbeqeo68FhqW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe -
Pykspa family
-
UAC bypass 3 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000e000000022f42-4.dat family_pykspa behavioral1/files/0x0007000000024297-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "czlmfcwoigcxuomsvfqnz.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "zryuiapcrkbrjyrs.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "gzhetmcqgasjcsmon.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "gzhetmcqgasjcsmon.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rhmgsivgtkzndq = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhjajwgoymy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 42 2212 Process not Found 45 2212 Process not Found 57 2212 Process not Found 62 2212 Process not Found 77 2212 Process not Found -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation gzhetmcqgasjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation gzhetmcqgasjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation gzhetmcqgasjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation gzhetmcqgasjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation gzhetmcqgasjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation pjsqgargxsldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation njuumibslidxtmjoqzjf.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation avfevqiyqmgzumimnve.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zryuiapcrkbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation czlmfcwoigcxuomsvfqnz.exe -
Executes dropped EXE 64 IoCs
pid Process 5456 sdqaokddcna.exe 4572 gzhetmcqgasjcsmon.exe 4808 czlmfcwoigcxuomsvfqnz.exe 5688 sdqaokddcna.exe 5116 gzhetmcqgasjcsmon.exe 2308 avfevqiyqmgzumimnve.exe 4860 czlmfcwoigcxuomsvfqnz.exe 1308 sdqaokddcna.exe 1100 gzhetmcqgasjcsmon.exe 2908 sdqaokddcna.exe 1480 njuumibslidxtmjoqzjf.exe 3996 njuumibslidxtmjoqzjf.exe 2496 sdqaokddcna.exe 3956 ajhuzio.exe 2932 ajhuzio.exe 5920 czlmfcwoigcxuomsvfqnz.exe 1200 zryuiapcrkbrjyrs.exe 5032 gzhetmcqgasjcsmon.exe 3008 czlmfcwoigcxuomsvfqnz.exe 5640 sdqaokddcna.exe 6080 sdqaokddcna.exe 4320 zryuiapcrkbrjyrs.exe 5140 gzhetmcqgasjcsmon.exe 1536 njuumibslidxtmjoqzjf.exe 5936 zryuiapcrkbrjyrs.exe 5888 avfevqiyqmgzumimnve.exe 5768 pjsqgargxsldxojmmt.exe 4560 zryuiapcrkbrjyrs.exe 5492 czlmfcwoigcxuomsvfqnz.exe 4608 sdqaokddcna.exe 2972 sdqaokddcna.exe 2180 sdqaokddcna.exe 4864 sdqaokddcna.exe 2420 gzhetmcqgasjcsmon.exe 4776 pjsqgargxsldxojmmt.exe 1932 avfevqiyqmgzumimnve.exe 884 avfevqiyqmgzumimnve.exe 2992 sdqaokddcna.exe 1688 sdqaokddcna.exe 1220 avfevqiyqmgzumimnve.exe 4392 czlmfcwoigcxuomsvfqnz.exe 3580 sdqaokddcna.exe 4336 pjsqgargxsldxojmmt.exe 5804 czlmfcwoigcxuomsvfqnz.exe 3392 avfevqiyqmgzumimnve.exe 4032 sdqaokddcna.exe 2856 czlmfcwoigcxuomsvfqnz.exe 5024 sdqaokddcna.exe 5920 avfevqiyqmgzumimnve.exe 5816 avfevqiyqmgzumimnve.exe 4372 sdqaokddcna.exe 2320 pjsqgargxsldxojmmt.exe 2832 zryuiapcrkbrjyrs.exe 2680 avfevqiyqmgzumimnve.exe 3692 avfevqiyqmgzumimnve.exe 4360 sdqaokddcna.exe 4512 gzhetmcqgasjcsmon.exe 4768 gzhetmcqgasjcsmon.exe 1848 sdqaokddcna.exe 2964 pjsqgargxsldxojmmt.exe 5520 zryuiapcrkbrjyrs.exe 4780 sdqaokddcna.exe 4676 pjsqgargxsldxojmmt.exe 2724 gzhetmcqgasjcsmon.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ajhuzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ajhuzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ajhuzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ajhuzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ajhuzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ajhuzio.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "czlmfcwoigcxuomsvfqnz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pjsqgargxsldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pjsqgargxsldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "pjsqgargxsldxojmmt.exe ." ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pjsqgargxsldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "czlmfcwoigcxuomsvfqnz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "zryuiapcrkbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "pjsqgargxsldxojmmt.exe ." ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "njuumibslidxtmjoqzjf.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pjsqgargxsldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "pjsqgargxsldxojmmt.exe" ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "gzhetmcqgasjcsmon.exe ." ajhuzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zryuiapcrkbrjyrs = "avfevqiyqmgzumimnve.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "gzhetmcqgasjcsmon.exe" ajhuzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "czlmfcwoigcxuomsvfqnz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "njuumibslidxtmjoqzjf.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzhetmcqgasjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "zryuiapcrkbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "gzhetmcqgasjcsmon.exe ." ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pjsqgargxsldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe ." ajhuzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "njuumibslidxtmjoqzjf.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gzhetmcqgasjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njuumibslidxtmjoqzjf.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "czlmfcwoigcxuomsvfqnz.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "gzhetmcqgasjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe ." ajhuzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "avfevqiyqmgzumimnve.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjcncoykaobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlmfcwoigcxuomsvfqnz.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "zryuiapcrkbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "avfevqiyqmgzumimnve.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ulrmzqeqewmbsgy = "pjsqgargxsldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfiakyjsdsfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avfevqiyqmgzumimnve.exe" sdqaokddcna.exe -
Checks whether UAC is enabled 1 TTPs 46 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ajhuzio.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ajhuzio.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 whatismyip.everdot.org 31 whatismyipaddress.com 39 www.whatismyip.ca 16 www.showmyipaddress.com 22 whatismyip.everdot.org 23 www.whatismyip.ca 28 whatismyip.everdot.org 29 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ajhuzio.exe File created C:\autorun.inf ajhuzio.exe File opened for modification F:\autorun.inf ajhuzio.exe File created F:\autorun.inf ajhuzio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\qfjcncoykaobqcsqlnqfjcncoykaobqcsql.qfj ajhuzio.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\gzhetmcqgasjcsmon.exe ajhuzio.exe File opened for modification C:\Windows\SysWOW64\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\qfjcncoykaobqcsqlnqfjcncoykaobqcsql.qfj ajhuzio.exe File opened for modification C:\Program Files (x86)\hlemmqrqrwzbfglyizrvowwa.abg ajhuzio.exe File created C:\Program Files (x86)\hlemmqrqrwzbfglyizrvowwa.abg ajhuzio.exe File opened for modification C:\Program Files (x86)\qfjcncoykaobqcsqlnqfjcncoykaobqcsql.qfj ajhuzio.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\qfjcncoykaobqcsqlnqfjcncoykaobqcsql.qfj ajhuzio.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe ajhuzio.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe ajhuzio.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe ajhuzio.exe File created C:\Windows\hlemmqrqrwzbfglyizrvowwa.abg ajhuzio.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe ajhuzio.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zryuiapcrkbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\czlmfcwoigcxuomsvfqnz.exe sdqaokddcna.exe File opened for modification C:\Windows\hlemmqrqrwzbfglyizrvowwa.abg ajhuzio.exe File opened for modification C:\Windows\gzhetmcqgasjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\tregaytmhgdzxsrycnzxkm.exe sdqaokddcna.exe File opened for modification C:\Windows\avfevqiyqmgzumimnve.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe File opened for modification C:\Windows\pjsqgargxsldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\njuumibslidxtmjoqzjf.exe sdqaokddcna.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajhuzio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njuumibslidxtmjoqzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajhuzio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzhetmcqgasjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zryuiapcrkbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsqgargxsldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avfevqiyqmgzumimnve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czlmfcwoigcxuomsvfqnz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 2932 ajhuzio.exe 2932 ajhuzio.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 2932 ajhuzio.exe 2932 ajhuzio.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2932 ajhuzio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5796 wrote to memory of 5456 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 88 PID 5796 wrote to memory of 5456 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 88 PID 5796 wrote to memory of 5456 5796 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 88 PID 1544 wrote to memory of 4572 1544 cmd.exe 93 PID 1544 wrote to memory of 4572 1544 cmd.exe 93 PID 1544 wrote to memory of 4572 1544 cmd.exe 93 PID 4608 wrote to memory of 4808 4608 cmd.exe 96 PID 4608 wrote to memory of 4808 4608 cmd.exe 96 PID 4608 wrote to memory of 4808 4608 cmd.exe 96 PID 4808 wrote to memory of 5688 4808 czlmfcwoigcxuomsvfqnz.exe 97 PID 4808 wrote to memory of 5688 4808 czlmfcwoigcxuomsvfqnz.exe 97 PID 4808 wrote to memory of 5688 4808 czlmfcwoigcxuomsvfqnz.exe 97 PID 4544 wrote to memory of 5116 4544 cmd.exe 102 PID 4544 wrote to memory of 5116 4544 cmd.exe 102 PID 4544 wrote to memory of 5116 4544 cmd.exe 102 PID 832 wrote to memory of 2308 832 cmd.exe 105 PID 832 wrote to memory of 2308 832 cmd.exe 105 PID 832 wrote to memory of 2308 832 cmd.exe 105 PID 4784 wrote to memory of 4860 4784 cmd.exe 108 PID 4784 wrote to memory of 4860 4784 cmd.exe 108 PID 4784 wrote to memory of 4860 4784 cmd.exe 108 PID 2308 wrote to memory of 1308 2308 avfevqiyqmgzumimnve.exe 109 PID 2308 wrote to memory of 1308 2308 avfevqiyqmgzumimnve.exe 109 PID 2308 wrote to memory of 1308 2308 avfevqiyqmgzumimnve.exe 109 PID 4720 wrote to memory of 1100 4720 cmd.exe 110 PID 4720 wrote to memory of 1100 4720 cmd.exe 110 PID 4720 wrote to memory of 1100 4720 cmd.exe 110 PID 1100 wrote to memory of 2908 1100 gzhetmcqgasjcsmon.exe 114 PID 1100 wrote to memory of 2908 1100 gzhetmcqgasjcsmon.exe 114 PID 1100 wrote to memory of 2908 1100 gzhetmcqgasjcsmon.exe 114 PID 2560 wrote to memory of 1480 2560 cmd.exe 118 PID 2560 wrote to memory of 1480 2560 cmd.exe 118 PID 2560 wrote to memory of 1480 2560 cmd.exe 118 PID 1516 wrote to memory of 3996 1516 cmd.exe 119 PID 1516 wrote to memory of 3996 1516 cmd.exe 119 PID 1516 wrote to memory of 3996 1516 cmd.exe 119 PID 3996 wrote to memory of 2496 3996 njuumibslidxtmjoqzjf.exe 120 PID 3996 wrote to memory of 2496 3996 njuumibslidxtmjoqzjf.exe 120 PID 3996 wrote to memory of 2496 3996 njuumibslidxtmjoqzjf.exe 120 PID 5456 wrote to memory of 3956 5456 sdqaokddcna.exe 121 PID 5456 wrote to memory of 3956 5456 sdqaokddcna.exe 121 PID 5456 wrote to memory of 3956 5456 sdqaokddcna.exe 121 PID 5456 wrote to memory of 2932 5456 sdqaokddcna.exe 122 PID 5456 wrote to memory of 2932 5456 sdqaokddcna.exe 122 PID 5456 wrote to memory of 2932 5456 sdqaokddcna.exe 122 PID 3704 wrote to memory of 5920 3704 cmd.exe 206 PID 3704 wrote to memory of 5920 3704 cmd.exe 206 PID 3704 wrote to memory of 5920 3704 cmd.exe 206 PID 4108 wrote to memory of 1200 4108 cmd.exe 207 PID 4108 wrote to memory of 1200 4108 cmd.exe 207 PID 4108 wrote to memory of 1200 4108 cmd.exe 207 PID 4660 wrote to memory of 5032 4660 cmd.exe 135 PID 4660 wrote to memory of 5032 4660 cmd.exe 135 PID 4660 wrote to memory of 5032 4660 cmd.exe 135 PID 3012 wrote to memory of 3008 3012 cmd.exe 138 PID 3012 wrote to memory of 3008 3012 cmd.exe 138 PID 3012 wrote to memory of 3008 3012 cmd.exe 138 PID 3008 wrote to memory of 5640 3008 czlmfcwoigcxuomsvfqnz.exe 148 PID 3008 wrote to memory of 5640 3008 czlmfcwoigcxuomsvfqnz.exe 148 PID 3008 wrote to memory of 5640 3008 czlmfcwoigcxuomsvfqnz.exe 148 PID 5032 wrote to memory of 6080 5032 gzhetmcqgasjcsmon.exe 299 PID 5032 wrote to memory of 6080 5032 gzhetmcqgasjcsmon.exe 299 PID 5032 wrote to memory of 6080 5032 gzhetmcqgasjcsmon.exe 299 PID 2984 wrote to memory of 4320 2984 cmd.exe 153 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ajhuzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ajhuzio.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5796 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\ajhuzio.exe"C:\Users\Admin\AppData\Local\Temp\ajhuzio.exe" "-C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\ajhuzio.exe"C:\Users\Admin\AppData\Local\Temp\ajhuzio.exe" "-C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵
- Executes dropped EXE
PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵
- Executes dropped EXE
PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵
- Executes dropped EXE
PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Executes dropped EXE
PID:2496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵
- Executes dropped EXE
PID:5920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵
- Executes dropped EXE
PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵
- Executes dropped EXE
PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:2636
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5520
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5516
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- Executes dropped EXE
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5492 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵
- Executes dropped EXE
PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Executes dropped EXE
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Executes dropped EXE
PID:884 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Executes dropped EXE
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:2980
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5196
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:6128
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵
- Executes dropped EXE
PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1956
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:5920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4372
-
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:1200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:5128
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:5000
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵
- Executes dropped EXE
PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4848
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:1596
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵
- Executes dropped EXE
PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:2984
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵
- Executes dropped EXE
PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:4048
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:3796
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:3892
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:4508
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:840
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5248
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4708
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵PID:3044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:3996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:2168
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:3024
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6080 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:2172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3692
-
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:3868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:2636
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:376
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:4240
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:2664
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:4548
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:976 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4488
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:688
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4324
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:3004
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:4504
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:4660
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4828
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:5800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1848
-
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:5176
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:2440
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:968
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:5012
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5564
-
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4800
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4484
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:5852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3132
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:4796
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2172
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:4588
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5408
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:4560
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:2988
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:1424
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2984
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5516
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:4716
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:3944
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵
- Checks computer location settings
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:5288
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5028
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4852
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4860
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2596
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:3044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:5508
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:876
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4508
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:1692
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:3560
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3256
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5024
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:5532
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:1220
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:4500
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4916
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:5668 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:3544
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:4436
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:5816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:2504
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:4584
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- Checks computer location settings
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:3132
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5312
-
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:6124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5564
-
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3616
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:2676
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:1220
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:4816
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3892
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:3544
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1512
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5604
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4640
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:5340
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:3144
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2716
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:2168
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:628
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:3256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:432
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
PID:760 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:6076
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:3676
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5240
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:5784
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:5156
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:3672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:924 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:4800
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4932
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5248
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:5896
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵
- Checks computer location settings
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5704
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:1072
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:2212
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:5204
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2972
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4028
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵
- Checks computer location settings
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3548
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5968
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:2704
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5484
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5424
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:3292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1840
-
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:5800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5536
-
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:5428
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:2172
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:5592
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5664
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:2624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1844
-
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4916
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:5756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2436
-
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:3108
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:4324
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:5716
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:3152
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:1404
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:3708
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:5100
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:3388
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4168
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:3372
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4080
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:5784
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:4636
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:4808
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2320
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:5112
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:832
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:5412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:2648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:4632
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5528
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:2916
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:4864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1164
-
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:5652
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4400
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5240
-
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:924
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe1⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:4808
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:6004
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:2832
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:2652
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2992
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:3628
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3436
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:5900
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:372
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:3868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4240
-
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:1424
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:4848
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:1308
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:388
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:3924
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe .1⤵PID:2232
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe .2⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\njuumibslidxtmjoqzjf.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:4520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:1264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:2204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4932
-
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:4912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2432
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:4776
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:3292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1672
-
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5044
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:4064
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:3312
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe1⤵PID:6008
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:384
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .1⤵PID:2960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe .2⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zryuiapcrkbrjyrs.exe*."3⤵PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:1516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1372
-
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:5680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5040
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:2188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4768
-
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1720
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .1⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe .2⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\pjsqgargxsldxojmmt.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:3984
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe .1⤵PID:2204
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe .2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zryuiapcrkbrjyrs.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:1524
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5428
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\njuumibslidxtmjoqzjf.exe*."3⤵PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exeC:\Users\Admin\AppData\Local\Temp\avfevqiyqmgzumimnve.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\avfevqiyqmgzumimnve.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2352
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:1508
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:4196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Windows\zryuiapcrkbrjyrs.exezryuiapcrkbrjyrs.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:1500
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\avfevqiyqmgzumimnve.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exeC:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe2⤵PID:2624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:3964
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:4024
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe1⤵PID:5172
-
C:\Windows\avfevqiyqmgzumimnve.exeavfevqiyqmgzumimnve.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe .1⤵PID:5860
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe .2⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\pjsqgargxsldxojmmt.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\pjsqgargxsldxojmmt.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe .2⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\gzhetmcqgasjcsmon.exe*."3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exeC:\Users\Admin\AppData\Local\Temp\gzhetmcqgasjcsmon.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exeC:\Users\Admin\AppData\Local\Temp\czlmfcwoigcxuomsvfqnz.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njuumibslidxtmjoqzjf.exe1⤵PID:5060
-
C:\Windows\njuumibslidxtmjoqzjf.exenjuumibslidxtmjoqzjf.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjsqgargxsldxojmmt.exe1⤵PID:2972
-
C:\Windows\pjsqgargxsldxojmmt.exepjsqgargxsldxojmmt.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe .1⤵PID:5416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5112
-
-
C:\Windows\czlmfcwoigcxuomsvfqnz.execzlmfcwoigcxuomsvfqnz.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\czlmfcwoigcxuomsvfqnz.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:6012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Windows\gzhetmcqgasjcsmon.exegzhetmcqgasjcsmon.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\gzhetmcqgasjcsmon.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zryuiapcrkbrjyrs.exe1⤵PID:760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czlmfcwoigcxuomsvfqnz.exe1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:3988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzhetmcqgasjcsmon.exe .1⤵PID:2440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avfevqiyqmgzumimnve.exe .1⤵PID:884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe1⤵PID:3728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zryuiapcrkbrjyrs.exe1⤵PID:5788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:1384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njuumibslidxtmjoqzjf.exe .1⤵PID:1952
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD511f8ad286c625e450e27f01b2036d680
SHA18753142803f0188c6e5bc4bc63ea93fbd1c5039d
SHA256dcaa2282327b65847d47fb933d50bd07ea9f3e3c2bd0a3a71c294f5d1789976b
SHA512c146f46b9398e5f02c1d661bf3ba87c738dfd09519b8d43748bb3c77f8dc2c74b95b4e084344878dbccf881a83f0afaaf70145ccb8408f693bfe5eb88c3b61d1
-
Filesize
280B
MD5f540733586c7f2f97a0966d5d3bbfc46
SHA167994a0a82dbfccee81798219b94120bee54e236
SHA256e2fe4b6508f8b5ea496c2e4222aec7ee619474eebcaa3c4f3bdb9182dba50823
SHA5121593e132ede99446b2cad12b00f19c984681d6b2bf10ad0b648d864f6c34be50beb8ddc17784720b4e01d4b47a8388cb9ae4834f39e51eee9f06ae636cf50464
-
Filesize
280B
MD56c43a2f8ad6adcf6480e245414508425
SHA159678ef99b28c8da7cffa4046d1eafd5fb80f652
SHA2568440e2cac225f76e9a90e1c8fb2cf8dd75ec43b0f51ff95974241922fd01dd83
SHA512838f1bf799167fd432f89bc28bedfc6684985f1c0fd8ade5ab909a38d51e695e2b9bad544db0438b041a11564f0d99decd5f8aa2b416209221e305a327047aad
-
Filesize
280B
MD52b241f88f6ab8b1ccd1d4ece1da32d98
SHA1f1cd0e8210f5d7a30b0d6b2973ead40a52cc99f0
SHA256b01257f9c4c83c319846c6ed7896f5431f848eafbbfcc532858c7b76aad6bd25
SHA512c4e229a6726a2ea1057402914cef593c6b20660d4ba568bbf21a17b645abcf302a7effad233de1f10bfe7df611dc258aa60726ebda6bd1ae7333c3fc1d0c2925
-
Filesize
280B
MD574d7cf3b3eef47741190339096080e52
SHA1388b4e21c8997f9b53f76b2a27e194675a0a61c1
SHA256356204e21c9bad58ac70e242422c031fe0e44c356c001b05bcb185a467a3051a
SHA512acd8e0f026bd1dd1fcb45759ac011dc2c0fce596c370aacd87cfe1a2144c277cd45d66d142117bd11b161226a1dd5e0db87270a994a02452c68e911f4e349362
-
Filesize
280B
MD5c70e947c2d390f1aaa424b4d323c67d0
SHA1502e0f229ce517982399c392fa4491e8e1176314
SHA256fa57883ae87daaf85cf8adc9393f9f158757aaefacd95d328ff9bfc329f9b42d
SHA512135ddb2d975cb3e5e1d56b4fcabe0b89a37a0789609a3e260f5a4499270ad6c7d1a2917fe1467b3afb2e2c49d3cbb32389e6a20914bee577a2ae918b7e93872e
-
Filesize
708KB
MD57ab154b8f9a5d53361fb598c093c7f66
SHA19c89d4bd5f785a9949d9455c1a9c31178aa143e8
SHA2568580eddea59762e432e6d9d5be1300cf159a81d6a10e86f6c17a99bdb8f67192
SHA51222cb9c6e5986882234cfd5c8e09fa6916bdba5c562a9a40db9e85fb3e7251e609f29673718d7533059f4358c8c376cef10eea4f08123f38b59ac1b09d1863cd5
-
Filesize
320KB
MD532c9a6435d4988f8555976f0bcb47803
SHA189d8c6c98e23a65e102b44a78b8582fbc2bf66f2
SHA2565880a283c3fc44d23a1c368301384b7db5cd47aa6cbfe340f96163251bf72e54
SHA512905d845d6352bf3cebf58fffd9efc41d87f9dfc721408f8ecc06e1c1c1e20f6753f4987689a7ba9253286efedb95e9266cb63b291d4a2a8cbca0e6c3f80e064c
-
Filesize
280B
MD51afda166bc808507f39de3879b6c8baf
SHA1500d6a4ae9f06cd1ccd0a9a3cd6ece87d3db9274
SHA256e23585bd07cadc01f43512d22f5d35911bb3e370985781a544f37ca6a6d4ca4d
SHA512c288cb1171bd6a11ca9eb2f189a3471ade02b57214e8afcfb00e11daa3e29e475b1839aa25ba578e5128cf07eaf7601c5a3b67024274065f0aa00390f7a63a29
-
Filesize
4KB
MD57c565d4675a4dfb724f02c0edda587b2
SHA157730e94418cce34e6825610a820e92a12e7d3d9
SHA25639bb57d1334f4160b3db976669421ce179a9ddd993b348da2c9f56dc39f0916b
SHA512471bb801f75cb39aa0128220c750317c87397689299f24c8bf3d8cf6784534f4471384db1ecf960edfbc9f13243f7031ab5d1c05aef7bde9d127cfa3325f28f8
-
Filesize
636KB
MD5c80bb333a03aefa2ebc92b2d4851eaed
SHA1e8f4a6c6537522d8c9e187f4cc2ae47252c39e6f
SHA25626aa0051cdca76b6fea6ef46de623fc60b21b3adcb3100e3366ab638fe9c3a38
SHA5125a2d9a4c626761a0b9ce6eca4d21453a35ea91d29a17a7ebef69d0cccf7dd86accc8ed395437578e329e6aea98dd6cb05c02a7b53ffb8014400f11a6041da4f9