Analysis
-
max time kernel
44s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe
-
Size
896KB
-
MD5
b45ce61349c8fd0044f2bf10ac4d34b4
-
SHA1
37ed91a926c1d7a6194ee21ae03de8f4bd5947bd
-
SHA256
a8bea21f2d08a4952d7349aac02b6c9e0a73bf9d0ca54aeffb1db631adbac518
-
SHA512
a3061028f885646253ffc9ca3081658e4b31a49e13b4a187c774d673d5cab18e0ab333e07f055375fb6b87252a93ec790b99128ffec0b52ef1a64bb9775c624f
-
SSDEEP
12288:K6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLg1:7vdezCByqTtlMQsFuqzRbzI7Is
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe -
Pykspa family
-
UAC bypass 3 TTPs 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00090000000227aa-4.dat family_pykspa behavioral1/files/0x001100000001ed46-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "aqqeuggogerhoeerq.exe" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "jabqhuvexwkbjabppd.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "wqumgwamikbvgaevypjnf.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocamakioealzesq = "tihujutaroapvkjv.exe" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwralsnqdwep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" uaquacs.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 59 4848 Process not Found -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmnxryrfmw.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmnxryrfmw.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tihujutaroapvkjv.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jabqhuvexwkbjabppd.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqumgwamikbvgaevypjnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umoewkmwqqfxgyapqfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haduncfqlmcvfybrtjcf.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqqeuggogerhoeerq.exe -
Executes dropped EXE 64 IoCs
pid Process 3544 vcmnxryrfmw.exe 4204 aqqeuggogerhoeerq.exe 3324 umoewkmwqqfxgyapqfx.exe 5088 vcmnxryrfmw.exe 3536 tihujutaroapvkjv.exe 3336 wqumgwamikbvgaevypjnf.exe 5304 jabqhuvexwkbjabppd.exe 4828 vcmnxryrfmw.exe 3176 umoewkmwqqfxgyapqfx.exe 1228 vcmnxryrfmw.exe 1548 wqumgwamikbvgaevypjnf.exe 1328 umoewkmwqqfxgyapqfx.exe 436 vcmnxryrfmw.exe 2152 uaquacs.exe 5672 uaquacs.exe 6132 aqqeuggogerhoeerq.exe 1728 wqumgwamikbvgaevypjnf.exe 5644 tihujutaroapvkjv.exe 5480 aqqeuggogerhoeerq.exe 220 vcmnxryrfmw.exe 1692 vcmnxryrfmw.exe 3416 haduncfqlmcvfybrtjcf.exe 4612 wqumgwamikbvgaevypjnf.exe 824 haduncfqlmcvfybrtjcf.exe 4940 aqqeuggogerhoeerq.exe 1880 haduncfqlmcvfybrtjcf.exe 1108 umoewkmwqqfxgyapqfx.exe 5348 tihujutaroapvkjv.exe 1864 wqumgwamikbvgaevypjnf.exe 2636 vcmnxryrfmw.exe 3864 vcmnxryrfmw.exe 2352 vcmnxryrfmw.exe 4856 umoewkmwqqfxgyapqfx.exe 4684 haduncfqlmcvfybrtjcf.exe 1136 vcmnxryrfmw.exe 2796 wqumgwamikbvgaevypjnf.exe 4704 tihujutaroapvkjv.exe 1728 haduncfqlmcvfybrtjcf.exe 2816 aqqeuggogerhoeerq.exe 4692 tihujutaroapvkjv.exe 3768 wqumgwamikbvgaevypjnf.exe 5508 tihujutaroapvkjv.exe 2684 vcmnxryrfmw.exe 5384 aqqeuggogerhoeerq.exe 2452 vcmnxryrfmw.exe 4556 vcmnxryrfmw.exe 1856 vcmnxryrfmw.exe 4792 vcmnxryrfmw.exe 4908 haduncfqlmcvfybrtjcf.exe 4444 umoewkmwqqfxgyapqfx.exe 5060 vcmnxryrfmw.exe 4036 jabqhuvexwkbjabppd.exe 5792 umoewkmwqqfxgyapqfx.exe 5784 vcmnxryrfmw.exe 3128 aqqeuggogerhoeerq.exe 3464 jabqhuvexwkbjabppd.exe 3852 vcmnxryrfmw.exe 5064 aqqeuggogerhoeerq.exe 1536 wqumgwamikbvgaevypjnf.exe 6064 vcmnxryrfmw.exe 2288 tihujutaroapvkjv.exe 628 aqqeuggogerhoeerq.exe 1968 jabqhuvexwkbjabppd.exe 1712 haduncfqlmcvfybrtjcf.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power uaquacs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys uaquacs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc uaquacs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager uaquacs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys uaquacs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc uaquacs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe ." uaquacs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" uaquacs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "wqumgwamikbvgaevypjnf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "tihujutaroapvkjv.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "umoewkmwqqfxgyapqfx.exe ." uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "haduncfqlmcvfybrtjcf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "haduncfqlmcvfybrtjcf.exe ." uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqumgwamikbvgaevypjnf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "aqqeuggogerhoeerq.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tihujutaroapvkjv.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "haduncfqlmcvfybrtjcf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "haduncfqlmcvfybrtjcf.exe" uaquacs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "wqumgwamikbvgaevypjnf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "tihujutaroapvkjv.exe ." uaquacs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "haduncfqlmcvfybrtjcf.exe ." uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "tihujutaroapvkjv.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "tihujutaroapvkjv.exe ." uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "aqqeuggogerhoeerq.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tihujutaroapvkjv.exe" uaquacs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "aqqeuggogerhoeerq.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwscowswkenzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haduncfqlmcvfybrtjcf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "tihujutaroapvkjv.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tihujutaroapvkjv = "aqqeuggogerhoeerq.exe" uaquacs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqqeuggogerhoeerq = "jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umoewkmwqqfxgyapqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqumgwamikbvgaevypjnf.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umoewkmwqqfxgyapqfx.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyvgtczetoylpc = "haduncfqlmcvfybrtjcf.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jabqhuvexwkbjabppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jabqhuvexwkbjabppd.exe ." vcmnxryrfmw.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uaquacs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" uaquacs.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 www.whatismyip.ca 35 whatismyipaddress.com 38 www.showmyipaddress.com 44 whatismyip.everdot.org 47 www.whatismyip.ca 54 www.whatismyip.ca 56 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe uaquacs.exe File opened for modification C:\Windows\SysWOW64\ocamakioealzesqbyjxvhvfdjzvguznlwtesq.qay uaquacs.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nqdehgtoteehberrddgtuxwjej.uxr uaquacs.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haduncfqlmcvfybrtjcf.exe uaquacs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\nqdehgtoteehberrddgtuxwjej.uxr uaquacs.exe File created C:\Program Files (x86)\nqdehgtoteehberrddgtuxwjej.uxr uaquacs.exe File opened for modification C:\Program Files (x86)\ocamakioealzesqbyjxvhvfdjzvguznlwtesq.qay uaquacs.exe File created C:\Program Files (x86)\ocamakioealzesqbyjxvhvfdjzvguznlwtesq.qay uaquacs.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\tihujutaroapvkjv.exe uaquacs.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File created C:\Windows\nqdehgtoteehberrddgtuxwjej.uxr uaquacs.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe uaquacs.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe uaquacs.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe uaquacs.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe uaquacs.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqumgwamikbvgaevypjnf.exe uaquacs.exe File opened for modification C:\Windows\haduncfqlmcvfybrtjcf.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umoewkmwqqfxgyapqfx.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tihujutaroapvkjv.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jabqhuvexwkbjabppd.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqqeuggogerhoeerq.exe vcmnxryrfmw.exe File opened for modification C:\Windows\ningbsxkhkcxjejbfxsxql.exe vcmnxryrfmw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tihujutaroapvkjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcmnxryrfmw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tihujutaroapvkjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uaquacs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tihujutaroapvkjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tihujutaroapvkjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tihujutaroapvkjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haduncfqlmcvfybrtjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqqeuggogerhoeerq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umoewkmwqqfxgyapqfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jabqhuvexwkbjabppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqumgwamikbvgaevypjnf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 5672 uaquacs.exe 5672 uaquacs.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 5672 uaquacs.exe 5672 uaquacs.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5672 uaquacs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 3544 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 91 PID 3948 wrote to memory of 3544 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 91 PID 3948 wrote to memory of 3544 3948 JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe 91 PID 4584 wrote to memory of 4204 4584 cmd.exe 94 PID 4584 wrote to memory of 4204 4584 cmd.exe 94 PID 4584 wrote to memory of 4204 4584 cmd.exe 94 PID 1296 wrote to memory of 3324 1296 cmd.exe 97 PID 1296 wrote to memory of 3324 1296 cmd.exe 97 PID 1296 wrote to memory of 3324 1296 cmd.exe 97 PID 3324 wrote to memory of 5088 3324 umoewkmwqqfxgyapqfx.exe 104 PID 3324 wrote to memory of 5088 3324 umoewkmwqqfxgyapqfx.exe 104 PID 3324 wrote to memory of 5088 3324 umoewkmwqqfxgyapqfx.exe 104 PID 4940 wrote to memory of 3536 4940 cmd.exe 105 PID 4940 wrote to memory of 3536 4940 cmd.exe 105 PID 4940 wrote to memory of 3536 4940 cmd.exe 105 PID 4880 wrote to memory of 3336 4880 cmd.exe 108 PID 4880 wrote to memory of 3336 4880 cmd.exe 108 PID 4880 wrote to memory of 3336 4880 cmd.exe 108 PID 1104 wrote to memory of 5304 1104 cmd.exe 169 PID 1104 wrote to memory of 5304 1104 cmd.exe 169 PID 1104 wrote to memory of 5304 1104 cmd.exe 169 PID 3336 wrote to memory of 4828 3336 wqumgwamikbvgaevypjnf.exe 113 PID 3336 wrote to memory of 4828 3336 wqumgwamikbvgaevypjnf.exe 113 PID 3336 wrote to memory of 4828 3336 wqumgwamikbvgaevypjnf.exe 113 PID 4472 wrote to memory of 3176 4472 cmd.exe 112 PID 4472 wrote to memory of 3176 4472 cmd.exe 112 PID 4472 wrote to memory of 3176 4472 cmd.exe 112 PID 3176 wrote to memory of 1228 3176 umoewkmwqqfxgyapqfx.exe 116 PID 3176 wrote to memory of 1228 3176 umoewkmwqqfxgyapqfx.exe 116 PID 3176 wrote to memory of 1228 3176 umoewkmwqqfxgyapqfx.exe 116 PID 1212 wrote to memory of 1548 1212 cmd.exe 119 PID 1212 wrote to memory of 1548 1212 cmd.exe 119 PID 1212 wrote to memory of 1548 1212 cmd.exe 119 PID 5568 wrote to memory of 1328 5568 cmd.exe 120 PID 5568 wrote to memory of 1328 5568 cmd.exe 120 PID 5568 wrote to memory of 1328 5568 cmd.exe 120 PID 1328 wrote to memory of 436 1328 umoewkmwqqfxgyapqfx.exe 121 PID 1328 wrote to memory of 436 1328 umoewkmwqqfxgyapqfx.exe 121 PID 1328 wrote to memory of 436 1328 umoewkmwqqfxgyapqfx.exe 121 PID 3544 wrote to memory of 2152 3544 vcmnxryrfmw.exe 124 PID 3544 wrote to memory of 2152 3544 vcmnxryrfmw.exe 124 PID 3544 wrote to memory of 2152 3544 vcmnxryrfmw.exe 124 PID 3544 wrote to memory of 5672 3544 vcmnxryrfmw.exe 125 PID 3544 wrote to memory of 5672 3544 vcmnxryrfmw.exe 125 PID 3544 wrote to memory of 5672 3544 vcmnxryrfmw.exe 125 PID 3448 wrote to memory of 1728 3448 cmd.exe 191 PID 3448 wrote to memory of 1728 3448 cmd.exe 191 PID 3448 wrote to memory of 1728 3448 cmd.exe 191 PID 2008 wrote to memory of 6132 2008 cmd.exe 341 PID 2008 wrote to memory of 6132 2008 cmd.exe 341 PID 2008 wrote to memory of 6132 2008 cmd.exe 341 PID 704 wrote to memory of 5644 704 cmd.exe 136 PID 704 wrote to memory of 5644 704 cmd.exe 136 PID 704 wrote to memory of 5644 704 cmd.exe 136 PID 6024 wrote to memory of 5480 6024 cmd.exe 137 PID 6024 wrote to memory of 5480 6024 cmd.exe 137 PID 6024 wrote to memory of 5480 6024 cmd.exe 137 PID 5644 wrote to memory of 220 5644 tihujutaroapvkjv.exe 146 PID 5644 wrote to memory of 220 5644 tihujutaroapvkjv.exe 146 PID 5644 wrote to memory of 220 5644 tihujutaroapvkjv.exe 146 PID 5480 wrote to memory of 1692 5480 aqqeuggogerhoeerq.exe 147 PID 5480 wrote to memory of 1692 5480 aqqeuggogerhoeerq.exe 147 PID 5480 wrote to memory of 1692 5480 aqqeuggogerhoeerq.exe 147 PID 2064 wrote to memory of 3416 2064 cmd.exe 205 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer uaquacs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uaquacs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uaquacs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b45ce61349c8fd0044f2bf10ac4d34b4.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\uaquacs.exe"C:\Users\Admin\AppData\Local\Temp\uaquacs.exe" "-C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\uaquacs.exe"C:\Users\Admin\AppData\Local\Temp\uaquacs.exe" "-C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵
- Executes dropped EXE
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵
- Executes dropped EXE
PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵
- Executes dropped EXE
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Executes dropped EXE
PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Executes dropped EXE
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵
- Executes dropped EXE
PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵
- Executes dropped EXE
PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6024 -
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:4200
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵
- Executes dropped EXE
PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:908
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Executes dropped EXE
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:5148
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵
- Executes dropped EXE
PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵
- Executes dropped EXE
PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵
- Executes dropped EXE
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵
- Executes dropped EXE
PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵
- Executes dropped EXE
PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:5884
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵
- Executes dropped EXE
PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵
- Executes dropped EXE
PID:2452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:1740
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵
- Executes dropped EXE
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:3944
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:672
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵
- Executes dropped EXE
PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵
- Executes dropped EXE
PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵
- Executes dropped EXE
PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵
- Executes dropped EXE
PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:1388
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵
- Executes dropped EXE
PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:3412
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵
- Executes dropped EXE
PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:5484
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵
- Executes dropped EXE
PID:3128
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:5348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:5752
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵
- Executes dropped EXE
PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵
- Executes dropped EXE
PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:1636
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵
- Executes dropped EXE
PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:1144
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵
- Executes dropped EXE
PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4780
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:1136
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:6128
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:5116
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:4488
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:5056
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
PID:680 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:5732
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:5440
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:3128
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:3852
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:6080 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:772
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:5012
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:4908
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:3684
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵
- Checks computer location settings
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:3060
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:1992
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:5512
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:3432
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵
- Checks computer location settings
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:2956
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:1940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2636
-
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:2648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5060
-
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:4548
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4908
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:2848
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:372
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:4512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4504
-
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:2812
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:3528
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:4324
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:2364
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:4048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:4988
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:2388
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:2328
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:3824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:4808
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4748
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:3344
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4648
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:2608
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:208
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:1036
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:3068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4728
-
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4384
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:3448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:3916
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:3828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1968
-
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:3192
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:5848
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:5568
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:1844
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:4472
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4788
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:5872
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:1940
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:2336
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4936
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:4836
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:4596
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:232
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:3132
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:5792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:968 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:920
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:5036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6080
-
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:5660
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:5740
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:3732
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:5440
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:2012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:6072
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:1124
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:3200
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:4544
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:1844
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4492
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:1064
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:5996
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:5608
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:4864
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:2796
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:1656
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:5744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2816
-
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:1644
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵
- Checks computer location settings
PID:400 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:4312
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:3796
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:5512 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:2684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵
- Checks computer location settings
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:1864
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:3548
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:2164
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:3688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4396
-
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:5064
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:3096
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:5692
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:460
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:5172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:3364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5912
-
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:5036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5104
-
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:4828
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:2888
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:3908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2364
-
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:4364
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:4920
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:2396
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:5512
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:5872
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4932
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:4884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1684
-
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:1312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4412
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:3228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4328
-
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4956
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:4228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:5380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:828
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:5148
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:6100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3368
-
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:5244
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:5356
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:4312
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:1336
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:4704
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:2456
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:5396
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:1332
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:3912
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:3200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:2328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:2912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:3128
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:2744
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:1636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5456
-
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:1128
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:5640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3692
-
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:1036
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:1956
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:1368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:1448
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:2328
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:5028
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:4244
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4556
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:2748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:5080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:3452
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:3476
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:5692
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4084
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:632
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4972
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:1296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:5832
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:5460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6068
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe1⤵PID:2068
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:1228
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:4544
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:748
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:5804
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\puzblt.exe"C:\Users\Admin\AppData\Local\Temp\puzblt.exe" "-C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe"4⤵PID:2808
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pibrplzwlhgwpzsvlnle.exe1⤵PID:116
-
C:\Windows\pibrplzwlhgwpzsvlnle.exepibrplzwlhgwpzsvlnle.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:3080
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqfrldngrjeqflaz.exe .1⤵PID:4276
-
C:\Windows\bqfrldngrjeqflaz.exebqfrldngrjeqflaz.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bqfrldngrjeqflaz.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:5640
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:4796
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:2976
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cumbytgcqljyqzrtijg.exe1⤵PID:3548
-
C:\Windows\cumbytgcqljyqzrtijg.execumbytgcqljyqzrtijg.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pibrplzwlhgwpzsvlnle.exe .1⤵PID:4656
-
C:\Windows\pibrplzwlhgwpzsvlnle.exepibrplzwlhgwpzsvlnle.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pibrplzwlhgwpzsvlnle.exe*."3⤵PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:1804
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe1⤵PID:8
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe .1⤵PID:4616
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqqeuggogerhoeerq.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exeC:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:5464
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exeC:\Users\Admin\AppData\Local\Temp\bqfrldngrjeqflaz.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bqfrldngrjeqflaz.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:1104
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exeC:\Users\Admin\AppData\Local\Temp\wqumgwamikbvgaevypjnf.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqumgwamikbvgaevypjnf.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:1332
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\riznjdpkxroctbsthh.exe1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\riznjdpkxroctbsthh.exeC:\Users\Admin\AppData\Local\Temp\riznjdpkxroctbsthh.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:5560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exe .1⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exeC:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exe .2⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pibrplzwlhgwpzsvlnle.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe .2⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haduncfqlmcvfybrtjcf.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqqeuggogerhoeerq.exe1⤵PID:6048
-
C:\Windows\aqqeuggogerhoeerq.exeaqqeuggogerhoeerq.exe2⤵PID:2616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe .1⤵PID:5484
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umoewkmwqqfxgyapqfx.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:2880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:3096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:1924
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:2972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4360
-
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:4768
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:4436
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:4556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pibrplzwlhgwpzsvlnle.exe1⤵PID:2420
-
C:\Windows\pibrplzwlhgwpzsvlnle.exepibrplzwlhgwpzsvlnle.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pibrplzwlhgwpzsvlnle.exe .1⤵PID:3700
-
C:\Windows\pibrplzwlhgwpzsvlnle.exepibrplzwlhgwpzsvlnle.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pibrplzwlhgwpzsvlnle.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .1⤵PID:2812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe .2⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqqeuggogerhoeerq.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqfrldngrjeqflaz.exe1⤵PID:4956
-
C:\Windows\bqfrldngrjeqflaz.exebqfrldngrjeqflaz.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iyobwpaugzviyfvvi.exe .1⤵PID:1324
-
C:\Windows\iyobwpaugzviyfvvi.exeiyobwpaugzviyfvvi.exe .2⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\iyobwpaugzviyfvvi.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exeC:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eysjifusiffwqbvzqtsmg.exe .1⤵PID:2636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\eysjifusiffwqbvzqtsmg.exeC:\Users\Admin\AppData\Local\Temp\eysjifusiffwqbvzqtsmg.exe .2⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\eysjifusiffwqbvzqtsmg.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:4328
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exe1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exeC:\Users\Admin\AppData\Local\Temp\cumbytgcqljyqzrtijg.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exe .1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exeC:\Users\Admin\AppData\Local\Temp\pibrplzwlhgwpzsvlnle.exe .2⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pibrplzwlhgwpzsvlnle.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:3904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5024
-
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:1780
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tihujutaroapvkjv.exe .1⤵PID:5896
-
C:\Windows\tihujutaroapvkjv.exetihujutaroapvkjv.exe .2⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tihujutaroapvkjv.exe*."3⤵PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe .2⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tihujutaroapvkjv.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exeC:\Users\Admin\AppData\Local\Temp\tihujutaroapvkjv.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umoewkmwqqfxgyapqfx.exe1⤵PID:660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5852
-
-
C:\Windows\umoewkmwqqfxgyapqfx.exeumoewkmwqqfxgyapqfx.exe2⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haduncfqlmcvfybrtjcf.exe .1⤵PID:4424
-
C:\Windows\haduncfqlmcvfybrtjcf.exehaduncfqlmcvfybrtjcf.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haduncfqlmcvfybrtjcf.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe1⤵PID:3584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4648
-
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jabqhuvexwkbjabppd.exe .1⤵PID:1548
-
C:\Windows\jabqhuvexwkbjabppd.exejabqhuvexwkbjabppd.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jabqhuvexwkbjabppd.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exeC:\Users\Admin\AppData\Local\Temp\haduncfqlmcvfybrtjcf.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exeC:\Users\Admin\AppData\Local\Temp\jabqhuvexwkbjabppd.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jabqhuvexwkbjabppd.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exeC:\Users\Admin\AppData\Local\Temp\aqqeuggogerhoeerq.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exeC:\Users\Admin\AppData\Local\Temp\umoewkmwqqfxgyapqfx.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umoewkmwqqfxgyapqfx.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe1⤵PID:3700
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqumgwamikbvgaevypjnf.exe .1⤵PID:5520
-
C:\Windows\wqumgwamikbvgaevypjnf.exewqumgwamikbvgaevypjnf.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqumgwamikbvgaevypjnf.exe*."3⤵PID:6048
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5a9d08bb7b507e754c863d96d9e86fa31
SHA1617702c56df6780a03c4daa573831c4fadabedc4
SHA256350e6dc8d7a4126034bebab55ae30ddec25bcf6a03b7abfaccd036c7e5e07e3b
SHA5128127310e19518f142e3c2fe368ed23be50a972396559f11b5e2759bb66a2f8529ec92aff74a4181cd09e04ddeb38c6df3812e229aa156eae7cc44b405bc1b11b
-
Filesize
272B
MD5131730adc624517451dae5f85265b90c
SHA1b0e7e3acf0569f5bb91a192f5a0a0ada4bf7d039
SHA2564e2a529fd0f267c57123828125b2686115326b5d4109c53678069cbf195be73e
SHA5121021225d2c5c6f3f19488ff9e94d50adaaa72563e39d0fa13fcefe0b689ab3fd73d26f08382b3c053a7f2aafb5813f1287331f5ac8513bfab6b09bacb569a715
-
Filesize
272B
MD520b5d991f5d03413f27eeebbab9e6b8a
SHA1ac47b8f267748dd8f376bc930526787f2124837f
SHA256f638e2be36e9c0cf8bfa2d820faeb9ff4798e35920360fdfa7c6fd051c9983e0
SHA51271c94755e6fe72463b597474f62db45ed2e55a12c1019cbeddcff62989b5037c787b39be0db3972929e595a5c62d5426d4050e455344bac70083963c584cce2b
-
Filesize
272B
MD52edd01965a3bcedc315f494bd590fea8
SHA12c14ddc6dcc0b77a8b268a1428a9b32670ee5131
SHA256eb7e587093006fa348c0c8dd46c684230397cf838f12940d38289297417a7104
SHA512c2c2f2d4134a090f28b0329dd949f8e814438a57786a8d8fdcc31ee19a734a5631cdb5ed6b281cc034470e16fde493d88a33d7728908088e272707e1765c0e6c
-
Filesize
272B
MD57dfcab6345855f8d925aae5c25dea626
SHA1e7a9a2ab2e618182593d0002734b63f57c254749
SHA2566b47292fd2a58cc8e99f99f4fd9d597f22d4297e71e00740f9bec4a95cea9cbf
SHA51297057790c7abef76f38cf56e0283f39ca70d0e7b86ac249a333634aa8a7212a100e166e4338bee6d96393eb0b0957de6cfa366d9e46d9c4073bab83f46316850
-
Filesize
740KB
MD586074e1e96b9411df355db34f30ace9b
SHA15bc1575bcdebd8e5b286873deab4ee07f111eb5c
SHA2565e7c97c38376548404b29769836f7646c8e5143edf99ff502ba10e895c08c9d8
SHA51276cb2d6aa0661e75e1ddf9b15d31e0b80a4f3275994f73ee90e53adf1c9497a9ed37a6684906617cf639e9cccea573c619dc51cf56fdf92e715327522c08d7b9
-
Filesize
320KB
MD589ec3461ef4a893428c32f89de78b396
SHA18067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA2561849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA5127804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8
-
Filesize
272B
MD55837d6c53e546802c45c102c04f362d1
SHA15b4dd064c839844a9fa0eda0cf752ecf58160586
SHA25696cc12b54dd2346e07f0db2b64fbc07e443a7196b2d470e82329e549df57c615
SHA5121b059b3f2e1aa7532be5904abb423992945e86bd8acdf6f093c864d7b53eef8297a49d3d8ab375a010abb595fcd520aa5d1a47e483f16ffc8ffdf5f6f397b78e
-
Filesize
3KB
MD5d6a062b0dc8482182ad9ab99d407e9e6
SHA142d3077e8afa45fa70e4d725f3b944177341d6d8
SHA256335cc66d97fd6f233a0a9f4f5ae3f5c38694ca4fc4b215e2df83d848d8a3dcfc
SHA5120a3295f6c387abf8a06b45217bed06091ae638bbb8d06c85ab7242063a9b1dd98835e7e591f7b1b88f55bfb0d9104c602f6ce510d6a27a5fa0a46c276155a08e
-
Filesize
896KB
MD5b45ce61349c8fd0044f2bf10ac4d34b4
SHA137ed91a926c1d7a6194ee21ae03de8f4bd5947bd
SHA256a8bea21f2d08a4952d7349aac02b6c9e0a73bf9d0ca54aeffb1db631adbac518
SHA512a3061028f885646253ffc9ca3081658e4b31a49e13b4a187c774d673d5cab18e0ab333e07f055375fb6b87252a93ec790b99128ffec0b52ef1a64bb9775c624f