Analysis
-
max time kernel
34s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 12:44
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe
-
Size
824KB
-
MD5
b248fe8b370f8fcb43c669473faf2b6e
-
SHA1
608fe88e45ea2939f616d60ac94ad1d3cf15b02b
-
SHA256
99be2fccaa08c521f7eb1828d6b1620a439a9b9a9945b5dfe617a1bf07f9ef75
-
SHA512
aa076579580c4a800995cb6b05a4fcce39668266a52cc31b515b64d38828c007f4a10ed018d54adad015e49cac3a26e804ed575bf07ebe7c36e8dbc3b6182eb8
-
SSDEEP
12288:npUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs5S73cMKmA:npUNr6YkVRFkgbeqeo68FhqaS7MMM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xfnoxgm.exe -
Pykspa family
-
UAC bypass 3 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000d0000000227f5-4.dat family_pykspa behavioral1/files/0x00070000000241f5-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "kfaokgzxnnchufhkhmhc.exe" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "zvrgdautklbhvhkomsokz.exe" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wneogynhtpabkrpo.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "zvrgdautklbhvhkomsokz.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wneogynhtpabkrpo.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "kfaokgzxnnchufhkhmhc.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "zvrgdautklbhvhkomsokz.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "dvnyrkavifrtdlkke.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "xrlytogdsrfjvfgieic.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whswiudrxn = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfnoxgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" xfnoxgm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe -
Checks computer location settings 2 TTPs 60 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wcycexrfgmi.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation kfaokgzxnnchufhkhmhc.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation mfykeyplzxknyhhidg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zvrgdautklbhvhkomsokz.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wneogynhtpabkrpo.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation xrlytogdsrfjvfgieic.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation dvnyrkavifrtdlkke.exe -
Executes dropped EXE 64 IoCs
pid Process 3320 wcycexrfgmi.exe 4644 kfaokgzxnnchufhkhmhc.exe 1224 dvnyrkavifrtdlkke.exe 4408 dvnyrkavifrtdlkke.exe 4996 wcycexrfgmi.exe 5924 mfykeyplzxknyhhidg.exe 2388 wcycexrfgmi.exe 5672 kfaokgzxnnchufhkhmhc.exe 5696 dvnyrkavifrtdlkke.exe 940 xrlytogdsrfjvfgieic.exe 4068 mfykeyplzxknyhhidg.exe 4372 wcycexrfgmi.exe 728 wcycexrfgmi.exe 4968 xfnoxgm.exe 5196 xfnoxgm.exe 1840 dvnyrkavifrtdlkke.exe 864 zvrgdautklbhvhkomsokz.exe 5192 dvnyrkavifrtdlkke.exe 3856 wneogynhtpabkrpo.exe 4540 wcycexrfgmi.exe 2640 xrlytogdsrfjvfgieic.exe 4324 wcycexrfgmi.exe 6048 wneogynhtpabkrpo.exe 2484 kfaokgzxnnchufhkhmhc.exe 6140 wneogynhtpabkrpo.exe 4868 kfaokgzxnnchufhkhmhc.exe 4704 mfykeyplzxknyhhidg.exe 4780 mfykeyplzxknyhhidg.exe 5268 zvrgdautklbhvhkomsokz.exe 4228 mfykeyplzxknyhhidg.exe 1524 wcycexrfgmi.exe 5988 zvrgdautklbhvhkomsokz.exe 6040 xrlytogdsrfjvfgieic.exe 2324 mfykeyplzxknyhhidg.exe 3880 wcycexrfgmi.exe 1112 wcycexrfgmi.exe 2016 wcycexrfgmi.exe 4848 wcycexrfgmi.exe 4900 wcycexrfgmi.exe 2080 mfykeyplzxknyhhidg.exe 5952 xrlytogdsrfjvfgieic.exe 1532 mfykeyplzxknyhhidg.exe 536 kfaokgzxnnchufhkhmhc.exe 2892 zvrgdautklbhvhkomsokz.exe 1744 dvnyrkavifrtdlkke.exe 880 wcycexrfgmi.exe 1904 zvrgdautklbhvhkomsokz.exe 4340 zvrgdautklbhvhkomsokz.exe 4400 wcycexrfgmi.exe 4980 wcycexrfgmi.exe 2600 wcycexrfgmi.exe 864 wneogynhtpabkrpo.exe 3428 dvnyrkavifrtdlkke.exe 436 dvnyrkavifrtdlkke.exe 5404 wneogynhtpabkrpo.exe 4156 wneogynhtpabkrpo.exe 4804 kfaokgzxnnchufhkhmhc.exe 1052 mfykeyplzxknyhhidg.exe 4068 wcycexrfgmi.exe 4148 wneogynhtpabkrpo.exe 4636 wcycexrfgmi.exe 2632 mfykeyplzxknyhhidg.exe 6040 wneogynhtpabkrpo.exe 452 kfaokgzxnnchufhkhmhc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xfnoxgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xfnoxgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xfnoxgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xfnoxgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xfnoxgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xfnoxgm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "dvnyrkavifrtdlkke.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe" xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "dvnyrkavifrtdlkke.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wneogynhtpabkrpo.exe ." xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "mfykeyplzxknyhhidg.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe ." xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "mfykeyplzxknyhhidg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "xrlytogdsrfjvfgieic.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "wneogynhtpabkrpo.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "kfaokgzxnnchufhkhmhc.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "xrlytogdsrfjvfgieic.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "wneogynhtpabkrpo.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "wneogynhtpabkrpo.exe" xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe ." xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "wneogynhtpabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obouiwhxfxeb = "kfaokgzxnnchufhkhmhc.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "mfykeyplzxknyhhidg.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe ." xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "dvnyrkavifrtdlkke.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "xrlytogdsrfjvfgieic.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfaokgzxnnchufhkhmhc.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "mfykeyplzxknyhhidg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdpuhuetarx = "zvrgdautklbhvhkomsokz.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvegqaht = "dvnyrkavifrtdlkke.exe" xfnoxgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odsaqgtlvpyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfykeyplzxknyhhidg.exe" xfnoxgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dnxalwerw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvrgdautklbhvhkomsokz.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbpwlamdmfnlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvnyrkavifrtdlkke.exe ." xfnoxgm.exe -
Checks whether UAC is enabled 1 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xfnoxgm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xfnoxgm.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 www.whatismyip.ca 37 whatismyip.everdot.org 17 whatismyip.everdot.org 21 www.showmyipaddress.com 24 www.whatismyip.ca 25 whatismyipaddress.com 30 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe File created C:\Windows\SysWOW64\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zvrgdautklbhvhkomsokz.exe xfnoxgm.exe File opened for modification C:\Windows\SysWOW64\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\wneogynhtpabkrpo.exe wcycexrfgmi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File created C:\Program Files (x86)\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File opened for modification C:\Program Files (x86)\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe File created C:\Program Files (x86)\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe xfnoxgm.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe xfnoxgm.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe xfnoxgm.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe xfnoxgm.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe File created C:\Windows\bbbuvwuxsxrbtjqyakkkd.fdg xfnoxgm.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe xfnoxgm.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe xfnoxgm.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe xfnoxgm.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\qnkaywrrjlcjylputaxuki.exe wcycexrfgmi.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe xfnoxgm.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe File opened for modification C:\Windows\dvnyrkavifrtdlkke.exe wcycexrfgmi.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe File created C:\Windows\whswiudrxnsnqrjcpkvgkwirflbgbefx.dyj xfnoxgm.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe wcycexrfgmi.exe File opened for modification C:\Windows\zvrgdautklbhvhkomsokz.exe wcycexrfgmi.exe File opened for modification C:\Windows\xrlytogdsrfjvfgieic.exe wcycexrfgmi.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe wcycexrfgmi.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe xfnoxgm.exe File opened for modification C:\Windows\kfaokgzxnnchufhkhmhc.exe xfnoxgm.exe File opened for modification C:\Windows\mfykeyplzxknyhhidg.exe xfnoxgm.exe File opened for modification C:\Windows\wneogynhtpabkrpo.exe wcycexrfgmi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcycexrfgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfnoxgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfaokgzxnnchufhkhmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvrgdautklbhvhkomsokz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnyrkavifrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfykeyplzxknyhhidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wneogynhtpabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlytogdsrfjvfgieic.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 4968 xfnoxgm.exe 4968 xfnoxgm.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4968 xfnoxgm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 3320 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 89 PID 1944 wrote to memory of 3320 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 89 PID 1944 wrote to memory of 3320 1944 JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe 89 PID 4696 wrote to memory of 4644 4696 cmd.exe 94 PID 4696 wrote to memory of 4644 4696 cmd.exe 94 PID 4696 wrote to memory of 4644 4696 cmd.exe 94 PID 2448 wrote to memory of 1224 2448 cmd.exe 97 PID 2448 wrote to memory of 1224 2448 cmd.exe 97 PID 2448 wrote to memory of 1224 2448 cmd.exe 97 PID 2792 wrote to memory of 4408 2792 cmd.exe 103 PID 2792 wrote to memory of 4408 2792 cmd.exe 103 PID 2792 wrote to memory of 4408 2792 cmd.exe 103 PID 1224 wrote to memory of 4996 1224 dvnyrkavifrtdlkke.exe 105 PID 1224 wrote to memory of 4996 1224 dvnyrkavifrtdlkke.exe 105 PID 1224 wrote to memory of 4996 1224 dvnyrkavifrtdlkke.exe 105 PID 4636 wrote to memory of 5924 4636 cmd.exe 108 PID 4636 wrote to memory of 5924 4636 cmd.exe 108 PID 4636 wrote to memory of 5924 4636 cmd.exe 108 PID 5924 wrote to memory of 2388 5924 mfykeyplzxknyhhidg.exe 113 PID 5924 wrote to memory of 2388 5924 mfykeyplzxknyhhidg.exe 113 PID 5924 wrote to memory of 2388 5924 mfykeyplzxknyhhidg.exe 113 PID 5056 wrote to memory of 5672 5056 cmd.exe 192 PID 5056 wrote to memory of 5672 5056 cmd.exe 192 PID 5056 wrote to memory of 5672 5056 cmd.exe 192 PID 4920 wrote to memory of 5696 4920 cmd.exe 115 PID 4920 wrote to memory of 5696 4920 cmd.exe 115 PID 4920 wrote to memory of 5696 4920 cmd.exe 115 PID 4932 wrote to memory of 940 4932 cmd.exe 116 PID 4932 wrote to memory of 940 4932 cmd.exe 116 PID 4932 wrote to memory of 940 4932 cmd.exe 116 PID 2912 wrote to memory of 4068 2912 cmd.exe 262 PID 2912 wrote to memory of 4068 2912 cmd.exe 262 PID 2912 wrote to memory of 4068 2912 cmd.exe 262 PID 5672 wrote to memory of 4372 5672 kfaokgzxnnchufhkhmhc.exe 118 PID 5672 wrote to memory of 4372 5672 kfaokgzxnnchufhkhmhc.exe 118 PID 5672 wrote to memory of 4372 5672 kfaokgzxnnchufhkhmhc.exe 118 PID 940 wrote to memory of 728 940 xrlytogdsrfjvfgieic.exe 558 PID 940 wrote to memory of 728 940 xrlytogdsrfjvfgieic.exe 558 PID 940 wrote to memory of 728 940 xrlytogdsrfjvfgieic.exe 558 PID 3320 wrote to memory of 4968 3320 wcycexrfgmi.exe 120 PID 3320 wrote to memory of 4968 3320 wcycexrfgmi.exe 120 PID 3320 wrote to memory of 4968 3320 wcycexrfgmi.exe 120 PID 3320 wrote to memory of 5196 3320 wcycexrfgmi.exe 121 PID 3320 wrote to memory of 5196 3320 wcycexrfgmi.exe 121 PID 3320 wrote to memory of 5196 3320 wcycexrfgmi.exe 121 PID 1620 wrote to memory of 1840 1620 cmd.exe 404 PID 1620 wrote to memory of 1840 1620 cmd.exe 404 PID 1620 wrote to memory of 1840 1620 cmd.exe 404 PID 1724 wrote to memory of 864 1724 cmd.exe 307 PID 1724 wrote to memory of 864 1724 cmd.exe 307 PID 1724 wrote to memory of 864 1724 cmd.exe 307 PID 3996 wrote to memory of 5192 3996 cmd.exe 136 PID 3996 wrote to memory of 5192 3996 cmd.exe 136 PID 3996 wrote to memory of 5192 3996 cmd.exe 136 PID 2196 wrote to memory of 3856 2196 cmd.exe 328 PID 2196 wrote to memory of 3856 2196 cmd.exe 328 PID 2196 wrote to memory of 3856 2196 cmd.exe 328 PID 5192 wrote to memory of 4540 5192 dvnyrkavifrtdlkke.exe 150 PID 5192 wrote to memory of 4540 5192 dvnyrkavifrtdlkke.exe 150 PID 5192 wrote to memory of 4540 5192 dvnyrkavifrtdlkke.exe 150 PID 1560 wrote to memory of 2640 1560 cmd.exe 907 PID 1560 wrote to memory of 2640 1560 cmd.exe 907 PID 1560 wrote to memory of 2640 1560 cmd.exe 907 PID 3856 wrote to memory of 4324 3856 wneogynhtpabkrpo.exe 808 -
System policy modification 1 TTPs 54 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xfnoxgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xfnoxgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xfnoxgm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b248fe8b370f8fcb43c669473faf2b6e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b248fe8b370f8fcb43c669473faf2b6e.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\xfnoxgm.exe"C:\Users\Admin\AppData\Local\Temp\xfnoxgm.exe" "-C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\xfnoxgm.exe"C:\Users\Admin\AppData\Local\Temp\xfnoxgm.exe" "-C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵
- Executes dropped EXE
PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵
- Executes dropped EXE
PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵
- Executes dropped EXE
PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵
- Executes dropped EXE
PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵
- Executes dropped EXE
PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵
- Executes dropped EXE
PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵
- Executes dropped EXE
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:4788
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵
- Executes dropped EXE
PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5364
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵
- Executes dropped EXE
PID:1112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:3056
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵
- Executes dropped EXE
PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵
- Executes dropped EXE
PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵
- Executes dropped EXE
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:4472
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:4204
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:5524
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:4948
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵
- Executes dropped EXE
PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵
- Executes dropped EXE
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:6032
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:4572
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵
- Executes dropped EXE
PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:2652
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:1460
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5404 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:3468
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵
- Executes dropped EXE
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:6096
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2092
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵
- Executes dropped EXE
PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:3796
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵
- Executes dropped EXE
PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:5932
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:3388
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:1332
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:6000
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵
- System Location Discovery: System Language Discovery
PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:976 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1540
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:692
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2144
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5964
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:5596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:2232
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:3240
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:2956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3856
-
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:2856
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:996 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:4884
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:4588
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:4336
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:2792
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:5656
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:4960
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:6088
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:3404
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:692 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2476
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5552
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:3744
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:1772
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:1060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2288
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:2856
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:3184
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5280
-
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:3704
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:4836
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:2448
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:4052
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:4888
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:3848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:1208
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:400
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:4324
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:3240
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:2080
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:6108
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:3108
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:5736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4040
-
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:1616
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:5260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:728
-
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:4400
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:5764
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:5276
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:3352
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5596
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:1016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:5908
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5728
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:4484
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:3132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:776
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:2148
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:4876
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:4372
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:2016
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:4244
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1116
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:6088
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:2140
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:912
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:3092
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:2448
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:4420
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:3744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:2288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:3132
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:3444
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:5080
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:3912
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:3280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:5892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:4560
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:6032
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:380
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:1388
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:3092
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:880
-
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5952
-
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:6048
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:2360
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:1620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5152
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:5884
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:2436
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:2948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:4804
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:4964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4400
-
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:636
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:948
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:4860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:2332
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5620
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:1396
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:4920
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2632
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:1836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4416
-
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:1524
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:1608
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:3584
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:3744
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:2172
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:5356
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:4932
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:1656
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:3332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:1148
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:728
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:4996
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5768
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:464
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:1320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6048
-
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:2328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:2156
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4340
-
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:3256
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:3944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:3320
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:2920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2324
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:5516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe .1⤵PID:2240
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe .2⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:2216
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:5696
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:2468
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5460
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1164
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:5072
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:4020
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:3468
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:4260
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:4876
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:3104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:4672
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:4268
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:4884
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:5408
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:4036
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:5360
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:3108
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5448
-
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:5632
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5920
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:5784
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5460
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1684
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:1904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4156
-
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:2956
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5212
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:5552
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:5396
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1124
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:912
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:3576
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:1048
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:1820
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:4652
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:5168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2684
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5876
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:4020
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5924
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe .2⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\kfaokgzxnnchufhkhmhc.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:5656
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:3332
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6048
-
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5868
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:2568
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:2696
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:3224
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:4440
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe1⤵PID:5748
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe .2⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\xrlytogdsrfjvfgieic.exe*."3⤵PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:3956
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe .1⤵PID:5632
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe .2⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvrgdautklbhvhkomsokz.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe1⤵PID:2336
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe1⤵PID:2436
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5412
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:5880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:2760
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe1⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe2⤵PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .1⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\mfykeyplzxknyhhidg.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:5492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1056
-
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe .1⤵PID:5184
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe .2⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\wneogynhtpabkrpo.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvrgdautklbhvhkomsokz.exe1⤵PID:4268
-
C:\Windows\zvrgdautklbhvhkomsokz.exezvrgdautklbhvhkomsokz.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvnyrkavifrtdlkke.exe .1⤵PID:3320
-
C:\Windows\dvnyrkavifrtdlkke.exedvnyrkavifrtdlkke.exe .2⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\dvnyrkavifrtdlkke.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exeC:\Users\Admin\AppData\Local\Temp\xrlytogdsrfjvfgieic.exe2⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\dvnyrkavifrtdlkke.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\dvnyrkavifrtdlkke.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:2288
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:632
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:5356
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:5328
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe2⤵PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exeC:\Users\Admin\AppData\Local\Temp\wneogynhtpabkrpo.exe .2⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\wneogynhtpabkrpo.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exeC:\Users\Admin\AppData\Local\Temp\kfaokgzxnnchufhkhmhc.exe2⤵PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvrgdautklbhvhkomsokz.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kfaokgzxnnchufhkhmhc.exe1⤵PID:2020
-
C:\Windows\kfaokgzxnnchufhkhmhc.exekfaokgzxnnchufhkhmhc.exe2⤵PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mfykeyplzxknyhhidg.exe .1⤵PID:2932
-
C:\Windows\mfykeyplzxknyhhidg.exemfykeyplzxknyhhidg.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\mfykeyplzxknyhhidg.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wneogynhtpabkrpo.exe1⤵PID:852
-
C:\Windows\wneogynhtpabkrpo.exewneogynhtpabkrpo.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrlytogdsrfjvfgieic.exe .1⤵PID:2368
-
C:\Windows\xrlytogdsrfjvfgieic.exexrlytogdsrfjvfgieic.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\xrlytogdsrfjvfgieic.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exeC:\Users\Admin\AppData\Local\Temp\mfykeyplzxknyhhidg.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .1⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exeC:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe .2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvrgdautklbhvhkomsokz.exe1⤵PID:2448
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5c999e859faa7cf0f925128a8188ad4f5
SHA1b6d6555432ed57c2eb53f54db92bf6e1386f3e77
SHA25672bcf073a6b089b13283146247ef8e4d5aa68bc1ba893250fb5853183bbe3b56
SHA512977da29ddceed44d444aebdc2504685a7361f10c0a4b64372a4fee07b096a4c4d158b1568e9ee75ad7806558563f74c781468431c72e30f0992e0a6cc5eef9ff
-
Filesize
700KB
MD5352e7b4375946aaa457d6c57e2fbf99f
SHA17e42b2095114a0e105c8a6af224c0c79a7efee7b
SHA256dce655b4d607e6bf21ff50f086e9ee60c18e375b87107d711ffa35e3aab96348
SHA51286b6b2b6f004e97a8998cd5728b01960953ef12ff4d1a23ada41a61e9fd638edea3e399b5362c3c64eabf90fed143bf3e20582aed981eecd8fcf5b85fdc9eaac
-
Filesize
280B
MD545a800a0fb23f2661bc2c64394230347
SHA147697afc6f82db99cdb649e5b6853a08a4310220
SHA2561b8280be4328d6a1bdcb31636989ed1c517fef32d416aed86dcc411123fff807
SHA512bf627db69e10d4fcbcd889fea79af8ba78f52f5b554632e92e623d862906ee18782bb5b4f35df001d786ea5618b3979c1b382a1ba8fa288635840267180babb2
-
Filesize
4KB
MD5a2365704dd61c5362a54a03f32369715
SHA16b848c838b3169bca3c6ad4539c8522321dfbbbc
SHA2566c1ac2a29e34d4ae306385c2cb964b0e83e1e8ce5358d8bb2ff84de60ffc6590
SHA5126b89fb90819e655cf2750c8b39f614c5178390b54ee2298a5719c395678479178b072fa9b938264f6b5b553560f0515303551b54bfe43c07657b9e2dabf774c3
-
Filesize
824KB
MD5b248fe8b370f8fcb43c669473faf2b6e
SHA1608fe88e45ea2939f616d60ac94ad1d3cf15b02b
SHA25699be2fccaa08c521f7eb1828d6b1620a439a9b9a9945b5dfe617a1bf07f9ef75
SHA512aa076579580c4a800995cb6b05a4fcce39668266a52cc31b515b64d38828c007f4a10ed018d54adad015e49cac3a26e804ed575bf07ebe7c36e8dbc3b6182eb8