Analysis
-
max time kernel
49s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe
-
Size
1016KB
-
MD5
b74f8691313be0c724b71d356c4b9b40
-
SHA1
a204d8d3fb87e6de59c77498fc9a0ed9bd50d214
-
SHA256
084500d412b1e0afe88f92170791f9045e76c35c1bf57b9e912aaab2bcd1ff6d
-
SHA512
be13201bf5c29b776c4d259166ccbbfabee4213aa698c25b77b430a66faf02c0af6cf693bf3ea585d49a3db1cad349769486ad0b7351c58bdb123faf3b33012a
-
SSDEEP
6144:0IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:0IXsgtvm1De5YlOx6lzBH46Uzf7lXUW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000700000001e6c9-4.dat family_pykspa behavioral1/files/0x00070000000241ef-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "lfbsocdqkfmkbcqueihb.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "avskhwymhdlkcetyjoojg.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "lfbsocdqkfmkbcqueihb.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "nfzoiutewpuqfeqsac.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfosbcq = "nfzoiutewpuqfeqsac.exe" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rvbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe" lrzckk.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nfzoiutewpuqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation avskhwymhdlkcetyjoojg.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lfbsocdqkfmkbcqueihb.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation yrmcxkkwpjpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xnfskuraqhkeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation evocvgeofxbwkitub.exe -
Executes dropped EXE 64 IoCs
pid Process 4316 bqyqvqrmlai.exe 4832 xnfskuraqhkeroyy.exe 4168 nfzoiutewpuqfeqsac.exe 4864 bqyqvqrmlai.exe 1860 evocvgeofxbwkitub.exe 1616 xnfskuraqhkeroyy.exe 2224 evocvgeofxbwkitub.exe 3912 xnfskuraqhkeroyy.exe 2844 bqyqvqrmlai.exe 3288 bqyqvqrmlai.exe 4264 evocvgeofxbwkitub.exe 992 nfzoiutewpuqfeqsac.exe 2468 bqyqvqrmlai.exe 1224 lrzckk.exe 1604 lrzckk.exe 3732 lfbsocdqkfmkbcqueihb.exe 3212 lfbsocdqkfmkbcqueihb.exe 3428 evocvgeofxbwkitub.exe 460 nfzoiutewpuqfeqsac.exe 1544 bqyqvqrmlai.exe 3800 yrmcxkkwpjpmccpsbec.exe 396 bqyqvqrmlai.exe 1624 xnfskuraqhkeroyy.exe 5284 avskhwymhdlkcetyjoojg.exe 4904 avskhwymhdlkcetyjoojg.exe 4732 evocvgeofxbwkitub.exe 4804 avskhwymhdlkcetyjoojg.exe 5828 lfbsocdqkfmkbcqueihb.exe 2864 bqyqvqrmlai.exe 5160 evocvgeofxbwkitub.exe 5936 bqyqvqrmlai.exe 3404 lfbsocdqkfmkbcqueihb.exe 6000 bqyqvqrmlai.exe 1052 yrmcxkkwpjpmccpsbec.exe 4968 nfzoiutewpuqfeqsac.exe 1184 avskhwymhdlkcetyjoojg.exe 2272 nfzoiutewpuqfeqsac.exe 3988 bqyqvqrmlai.exe 3876 yrmcxkkwpjpmccpsbec.exe 4484 avskhwymhdlkcetyjoojg.exe 4252 avskhwymhdlkcetyjoojg.exe 3948 bqyqvqrmlai.exe 2924 avskhwymhdlkcetyjoojg.exe 5468 bqyqvqrmlai.exe 2132 bqyqvqrmlai.exe 2056 nfzoiutewpuqfeqsac.exe 1340 bqyqvqrmlai.exe 3684 avskhwymhdlkcetyjoojg.exe 5368 evocvgeofxbwkitub.exe 1772 bqyqvqrmlai.exe 2364 bqyqvqrmlai.exe 532 nfzoiutewpuqfeqsac.exe 6128 nfzoiutewpuqfeqsac.exe 4272 bqyqvqrmlai.exe 3928 xnfskuraqhkeroyy.exe 5696 nfzoiutewpuqfeqsac.exe 4532 bqyqvqrmlai.exe 3824 yrmcxkkwpjpmccpsbec.exe 5252 yrmcxkkwpjpmccpsbec.exe 464 nfzoiutewpuqfeqsac.exe 2560 bqyqvqrmlai.exe 2128 avskhwymhdlkcetyjoojg.exe 932 lfbsocdqkfmkbcqueihb.exe 5036 xnfskuraqhkeroyy.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lrzckk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lrzckk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lrzckk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lrzckk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lrzckk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lrzckk.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe ." lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvfkuwlm = "xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "lfbsocdqkfmkbcqueihb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe ." lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvfkuwlm = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "avskhwymhdlkcetyjoojg.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "lfbsocdqkfmkbcqueihb.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "lfbsocdqkfmkbcqueihb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "nfzoiutewpuqfeqsac.exe ." lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvfkuwlm = "xnfskuraqhkeroyy.exe" lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe" lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "xnfskuraqhkeroyy.exe ." lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvfkuwlm = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe ." lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdqylqimxjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "evocvgeofxbwkitub.exe" lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "nfzoiutewpuqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfzoiutewpuqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "nfzoiutewpuqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xhtamqhkuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe ." lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "avskhwymhdlkcetyjoojg.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrmcxkkwpjpmccpsbec.exe" lrzckk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afmov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evocvgeofxbwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "yrmcxkkwpjpmccpsbec.exe ." lrzckk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnfskuraqhkeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\enyepsikt = "evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lrzckk = "evocvgeofxbwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afmov = "lfbsocdqkfmkbcqueihb.exe" bqyqvqrmlai.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lrzckk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lrzckk.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 www.whatismyip.ca 16 www.whatismyip.ca 17 whatismyip.everdot.org 1 whatismyipaddress.com 4 www.showmyipaddress.com 11 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf lrzckk.exe File opened for modification F:\autorun.inf lrzckk.exe File created F:\autorun.inf lrzckk.exe File opened for modification C:\autorun.inf lrzckk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File created C:\Windows\SysWOW64\afmovugejphqsedsncmryahgsqv.tce lrzckk.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File created C:\Windows\SysWOW64\xnfskuraqhkeroyyeezphumwtcsjmgtqaaggbr.woy lrzckk.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\yrmcxkkwpjpmccpsbec.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xnfskuraqhkeroyy.exe lrzckk.exe File opened for modification C:\Windows\SysWOW64\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\afmovugejphqsedsncmryahgsqv.tce lrzckk.exe File created C:\Program Files (x86)\afmovugejphqsedsncmryahgsqv.tce lrzckk.exe File opened for modification C:\Program Files (x86)\xnfskuraqhkeroyyeezphumwtcsjmgtqaaggbr.woy lrzckk.exe File created C:\Program Files (x86)\xnfskuraqhkeroyyeezphumwtcsjmgtqaaggbr.woy lrzckk.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\xnfskuraqhkeroyyeezphumwtcsjmgtqaaggbr.woy lrzckk.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe lrzckk.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe lrzckk.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe lrzckk.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe lrzckk.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe lrzckk.exe File opened for modification C:\Windows\afmovugejphqsedsncmryahgsqv.tce lrzckk.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\yrmcxkkwpjpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xnfskuraqhkeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe lrzckk.exe File created C:\Windows\xnfskuraqhkeroyyeezphumwtcsjmgtqaaggbr.woy lrzckk.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rnlecsvkgdmmfiyeqwxtrk.exe bqyqvqrmlai.exe File opened for modification C:\Windows\avskhwymhdlkcetyjoojg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe File opened for modification C:\Windows\evocvgeofxbwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nfzoiutewpuqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lfbsocdqkfmkbcqueihb.exe bqyqvqrmlai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqyqvqrmlai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfzoiutewpuqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnfskuraqhkeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avskhwymhdlkcetyjoojg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evocvgeofxbwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfbsocdqkfmkbcqueihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrmcxkkwpjpmccpsbec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 1224 lrzckk.exe 1224 lrzckk.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 1224 lrzckk.exe 1224 lrzckk.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1224 lrzckk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3268 wrote to memory of 4316 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 88 PID 3268 wrote to memory of 4316 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 88 PID 3268 wrote to memory of 4316 3268 JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe 88 PID 4888 wrote to memory of 4832 4888 cmd.exe 91 PID 4888 wrote to memory of 4832 4888 cmd.exe 91 PID 4888 wrote to memory of 4832 4888 cmd.exe 91 PID 5768 wrote to memory of 4168 5768 cmd.exe 94 PID 5768 wrote to memory of 4168 5768 cmd.exe 94 PID 5768 wrote to memory of 4168 5768 cmd.exe 94 PID 4168 wrote to memory of 4864 4168 nfzoiutewpuqfeqsac.exe 97 PID 4168 wrote to memory of 4864 4168 nfzoiutewpuqfeqsac.exe 97 PID 4168 wrote to memory of 4864 4168 nfzoiutewpuqfeqsac.exe 97 PID 4932 wrote to memory of 1860 4932 cmd.exe 100 PID 4932 wrote to memory of 1860 4932 cmd.exe 100 PID 4932 wrote to memory of 1860 4932 cmd.exe 100 PID 4868 wrote to memory of 1616 4868 cmd.exe 103 PID 4868 wrote to memory of 1616 4868 cmd.exe 103 PID 4868 wrote to memory of 1616 4868 cmd.exe 103 PID 4644 wrote to memory of 2224 4644 cmd.exe 106 PID 4644 wrote to memory of 2224 4644 cmd.exe 106 PID 4644 wrote to memory of 2224 4644 cmd.exe 106 PID 4192 wrote to memory of 3912 4192 cmd.exe 107 PID 4192 wrote to memory of 3912 4192 cmd.exe 107 PID 4192 wrote to memory of 3912 4192 cmd.exe 107 PID 1616 wrote to memory of 2844 1616 xnfskuraqhkeroyy.exe 108 PID 1616 wrote to memory of 2844 1616 xnfskuraqhkeroyy.exe 108 PID 1616 wrote to memory of 2844 1616 xnfskuraqhkeroyy.exe 108 PID 3912 wrote to memory of 3288 3912 xnfskuraqhkeroyy.exe 109 PID 3912 wrote to memory of 3288 3912 xnfskuraqhkeroyy.exe 109 PID 3912 wrote to memory of 3288 3912 xnfskuraqhkeroyy.exe 109 PID 3296 wrote to memory of 4264 3296 cmd.exe 114 PID 3296 wrote to memory of 4264 3296 cmd.exe 114 PID 3296 wrote to memory of 4264 3296 cmd.exe 114 PID 928 wrote to memory of 992 928 cmd.exe 115 PID 928 wrote to memory of 992 928 cmd.exe 115 PID 928 wrote to memory of 992 928 cmd.exe 115 PID 992 wrote to memory of 2468 992 nfzoiutewpuqfeqsac.exe 116 PID 992 wrote to memory of 2468 992 nfzoiutewpuqfeqsac.exe 116 PID 992 wrote to memory of 2468 992 nfzoiutewpuqfeqsac.exe 116 PID 4316 wrote to memory of 1224 4316 bqyqvqrmlai.exe 117 PID 4316 wrote to memory of 1224 4316 bqyqvqrmlai.exe 117 PID 4316 wrote to memory of 1224 4316 bqyqvqrmlai.exe 117 PID 4316 wrote to memory of 1604 4316 bqyqvqrmlai.exe 118 PID 4316 wrote to memory of 1604 4316 bqyqvqrmlai.exe 118 PID 4316 wrote to memory of 1604 4316 bqyqvqrmlai.exe 118 PID 6132 wrote to memory of 3732 6132 cmd.exe 123 PID 6132 wrote to memory of 3732 6132 cmd.exe 123 PID 6132 wrote to memory of 3732 6132 cmd.exe 123 PID 5884 wrote to memory of 3212 5884 cmd.exe 126 PID 5884 wrote to memory of 3212 5884 cmd.exe 126 PID 5884 wrote to memory of 3212 5884 cmd.exe 126 PID 5404 wrote to memory of 3428 5404 cmd.exe 129 PID 5404 wrote to memory of 3428 5404 cmd.exe 129 PID 5404 wrote to memory of 3428 5404 cmd.exe 129 PID 4708 wrote to memory of 460 4708 cmd.exe 133 PID 4708 wrote to memory of 460 4708 cmd.exe 133 PID 4708 wrote to memory of 460 4708 cmd.exe 133 PID 3428 wrote to memory of 1544 3428 evocvgeofxbwkitub.exe 292 PID 3428 wrote to memory of 1544 3428 evocvgeofxbwkitub.exe 292 PID 3428 wrote to memory of 1544 3428 evocvgeofxbwkitub.exe 292 PID 3284 wrote to memory of 3800 3284 cmd.exe 138 PID 3284 wrote to memory of 3800 3284 cmd.exe 138 PID 3284 wrote to memory of 3800 3284 cmd.exe 138 PID 460 wrote to memory of 396 460 nfzoiutewpuqfeqsac.exe 342 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lrzckk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lrzckk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b74f8691313be0c724b71d356c4b9b40.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b74f8691313be0c724b71d356c4b9b40.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\lrzckk.exe"C:\Users\Admin\AppData\Local\Temp\lrzckk.exe" "-C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\lrzckk.exe"C:\Users\Admin\AppData\Local\Temp\lrzckk.exe" "-C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵
- Executes dropped EXE
PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵
- Executes dropped EXE
PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵
- Executes dropped EXE
PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵
- Executes dropped EXE
PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5404 -
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:1948
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- Executes dropped EXE
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:1964
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵
- Executes dropped EXE
PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:1952
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵
- Executes dropped EXE
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵
- Executes dropped EXE
PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵
- Executes dropped EXE
PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵
- Executes dropped EXE
PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:4144
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:4760
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Executes dropped EXE
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:724
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵
- Executes dropped EXE
PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:5088
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Executes dropped EXE
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵
- Executes dropped EXE
PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Executes dropped EXE
PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:5812
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵
- Executes dropped EXE
PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:5444
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:1972
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵
- Executes dropped EXE
PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:5708
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5696 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵
- Executes dropped EXE
PID:3824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵
- Executes dropped EXE
PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:1940
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:3284
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:932 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:3676
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:1936
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:4100
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:4948
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:5032
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:4448
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:3816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5160
-
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:64
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:4716
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:6052
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:1544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2924
-
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:5696
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:2140
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:2328
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:5208
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:5576
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2864
-
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:6032
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5624
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3232
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:5740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:744
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:1976
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:3148
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:1712
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:4320
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:5952
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:5708
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
PID:384 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:908
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:5572
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:5212
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:1576
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:4912
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:4168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:1324
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:2412
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:64
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:5300
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:4908
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:3348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:3684
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1400
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:4688
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:4916
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:2472
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:3292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:452
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:5192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:5032
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3828
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:4212
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3280
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:532
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:2028
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3816
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:4056
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:2296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:1756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:5724
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:3676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2560
-
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2128
-
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:6000
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:1520
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:3828
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:4820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1180
-
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:5480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4168
-
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:3448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5356
-
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:3684
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5492
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:4908
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:4136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2096
-
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:2388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4304
-
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:2252
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:5140
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:2972
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:3800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:3388
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:4768
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:3288
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:4696
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:5740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:2708
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:852
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:1456
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:5320
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:2376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3216
-
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:940
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:4608
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:368 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:5220
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:2944
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:2252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:1756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:3860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:2932
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:2700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4704
-
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:1652
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:2568
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3996
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:5408
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:552
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1084
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵
- Checks computer location settings
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:4796
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:2296
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵
- Checks computer location settings
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3704
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5340
-
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- Checks computer location settings
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:5196
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:916
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:2932
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2700
-
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:4748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:1432
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:3684
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:3272
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:4156
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:4824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6112
-
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:6076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3772
-
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:3928
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:4852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4832
-
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:6136
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:4864
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:2328
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:5336
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:8
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:1848
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:5456
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:5512
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:2932
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:1172
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:1404
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:4100
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:904
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:4728
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1496
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:4060
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:5740
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3288
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5680
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:3212
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:4924
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:2376
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:3300
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:5520
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:832
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:3820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:3220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:4880
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:824
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:2536
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:5452
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:1680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:4596
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:4860
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:2700
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:1456
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:4848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:4320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2676
-
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:4944
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:5536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5412
-
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:5172
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe1⤵PID:4384
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:2428
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:2972
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:2444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6088
-
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:2732
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nfzoiutewpuqfeqsac.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:4908
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:2252
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:5140
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:2036
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:3752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5456
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:5344
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:3640
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .1⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exeC:\Users\Admin\AppData\Local\Temp\avskhwymhdlkcetyjoojg.exe .2⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\avskhwymhdlkcetyjoojg.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:2288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3224
-
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3948
-
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:3684
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:2392
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe1⤵PID:3676
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe2⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1596
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:4716
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1448
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe1⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe2⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xnfskuraqhkeroyy.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:5284
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:2668
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:5204
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:860
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .2⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nfzoiutewpuqfeqsac.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe1⤵PID:4996
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evocvgeofxbwkitub.exe .1⤵PID:1520
-
C:\Windows\evocvgeofxbwkitub.exeevocvgeofxbwkitub.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\evocvgeofxbwkitub.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3872
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:2708
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .1⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe .2⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:5168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5476
-
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:1184
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lfbsocdqkfmkbcqueihb.exe .1⤵PID:1508
-
C:\Windows\lfbsocdqkfmkbcqueihb.exelfbsocdqkfmkbcqueihb.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:3472
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:2552
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\avskhwymhdlkcetyjoojg.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exeC:\Users\Admin\AppData\Local\Temp\xnfskuraqhkeroyy.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe .2⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lfbsocdqkfmkbcqueihb.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exeC:\Users\Admin\AppData\Local\Temp\lfbsocdqkfmkbcqueihb.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exeC:\Users\Admin\AppData\Local\Temp\evocvgeofxbwkitub.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\evocvgeofxbwkitub.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:460
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe .1⤵PID:5100
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe .2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\yrmcxkkwpjpmccpsbec.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe1⤵PID:4908
-
C:\Windows\avskhwymhdlkcetyjoojg.exeavskhwymhdlkcetyjoojg.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:900
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xnfskuraqhkeroyy.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:5424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1004
-
-
C:\Windows\yrmcxkkwpjpmccpsbec.exeyrmcxkkwpjpmccpsbec.exe2⤵PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe1⤵PID:3548
-
C:\Windows\nfzoiutewpuqfeqsac.exenfzoiutewpuqfeqsac.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnfskuraqhkeroyy.exe .1⤵PID:4716
-
C:\Windows\xnfskuraqhkeroyy.exexnfskuraqhkeroyy.exe .2⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yrmcxkkwpjpmccpsbec.exe1⤵PID:1964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe1⤵PID:3328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avskhwymhdlkcetyjoojg.exe .1⤵PID:6068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nfzoiutewpuqfeqsac.exe .1⤵PID:2248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfzoiutewpuqfeqsac.exe .1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yrmcxkkwpjpmccpsbec.exe1⤵PID:400
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD56793436f4603b62596d6e511a57ab5b8
SHA145f2312cac520b24d67014305ec329951dad9fe5
SHA2568633c8aabb3c1e0866d57faa878784ab6aa6528bd33d75d323488e34865b862a
SHA512712a17e7ec51aa3bcd7116d7c1a1fe599c07f8006272777c5a1c599a606dc46c06db7c7327895927f638c5b1a3f50db1622bc90d0f8a8a2f506f9adab53c76cc
-
Filesize
280B
MD55169ecd12e1524999038daa2c26fb54e
SHA1daf6c24b2a7f2e29d23c3baa1f6084b1be5032ce
SHA256818ffb2d8bffca118310ed34bbf9cd2028df9301b35a7ffe0a89b86c950a8da5
SHA512a16551e6fccb10e798ff5a387116c038ee89e7460fbb3e55dcddb12bf47d8c42238b7526d106551886c773f095a23a97d82d3b58fa6fd65b56e92eacd1da7430
-
Filesize
280B
MD5521bfadda5409e98604425c85ad35195
SHA19415dedd8ba4f46d99b3731b3eef83b9eb630bc4
SHA25616888e5f5e5bb262d1a9c3462f41467c54cff97e950a3f75d36c4302ac1215d6
SHA5120e4c01d5de5bea922d068060d826520aad9ddc32c563b83453e0da5281ba0d2d440d167031253a76f7a2d6b9f8ea389800dc5415ac00ecb46faa237c5dda71ff
-
Filesize
280B
MD5b1478bd384607f78ef665452be09be5a
SHA1a331d62d4f83569a36c5728b42861c59859af712
SHA2568a1fd51db1295f3483debbb6de11ce338c6e07704862d6e58e72cddcd561c243
SHA5127294d1c867f4b789b313593e09edfe7b9b3defb3976628d2c5c8c642d2a10ea3baf893c34e056123a8e1bae4c070239f60b89c2683b4feab49542fcd7545a220
-
Filesize
280B
MD53f1e03cfff14c317323be045c68f8325
SHA1ddd712cc7f63ec5361c1317926a9b0fb17dc3997
SHA2562ab47c34a850676cff3d90e192bd6e87ab18605ecc2ef2e19dfd5de6ff6a1dc3
SHA5124cf3e1499bf3f06f71e65a7b64602e16f3b2dbadb0270821564732fa10b0a54e52b6c34b919abc49cf8c83179835277c0678c8e90af706a89b8c992d14e15f65
-
Filesize
280B
MD5b68839c81e08b2a5eab07c89a868fd9d
SHA14ef9d03e2b51802b05f93265ddd213d165820c0c
SHA256547dace1a0c6e86d8036ebab03817441e5c98dc7651119b7b611e85b4ae26363
SHA51290086f8b8dec7e9d8ea51c88e0e80fcfb213f966e0cf05e556f88bc68cacb100b23f741329c49bd9e3f0348f8161d81f3d365aa8d549ed80ea85faedec3c3abf
-
Filesize
320KB
MD5fdd9adf2de6a1a1433c066254b4ed189
SHA1c14f7e8c60af1fbf5a543c0749f4f97fe590b927
SHA2567a59a9c5e74fba9bde69bd0f7e943b9f480f3a23fc504f879252182c78d3209a
SHA512e190243cc06e957505575a5b1cea32cc560faaeba187828d8adffaba36ca75fe1ff2d898acd2c40ff3af67ef5519afada64a8d49bff507862e31ef22ed853a54
-
Filesize
700KB
MD55cf2cab3034b2f360e6e402f5d47b222
SHA13b1e526d549d4be2abeadbfffaf07f373b7a91db
SHA256c7e41fb2d6d01d6fb6eb5f2017c87e48bfc87d7a75ad5d9ba2c1498e1427b31a
SHA512069cce634354f454b427505d7b4ac4f9df3505615f185e6b45682ea9be6028c40000ab025fe09e97d73a03aa4907a215a661cebb5243540b9efa9606a9006df9
-
Filesize
280B
MD568d89fa77d0e9f304e8bb395bd5e6e38
SHA13348b8ef3ea09b2d00a5b0ec652b91f9f6fbbd7e
SHA25632b937b765f0a3d3947211496b16d2a1b965bc86a3f88de86be906271958e751
SHA51263c9df7f958fe65db3de7aad236982e8c6ca1a8727a7b33ecb397a06592dcd9967fb49345d0ed65b1794a20f8700d0c2b236ad36cae347686d63e7a15d283958
-
Filesize
4KB
MD5d79336a08e707cf8c92fbc951d381b91
SHA16040d2d402840652c5ee734ab051639260e275fa
SHA2566dc1cfbf5908e891a049596195fdeb8898fa722fb43cdecc69a3cd92a19826ba
SHA5129ca6f1e2d09df3a1123517fb1e65a1fb10f77d8ebbf1f19b59b2bc2e02b0e26e7918f2375dbaaeb4cef6ccc47aedc6d1976c9a5421389e18d627d95a7b178e5c
-
Filesize
1016KB
MD5b74f8691313be0c724b71d356c4b9b40
SHA1a204d8d3fb87e6de59c77498fc9a0ed9bd50d214
SHA256084500d412b1e0afe88f92170791f9045e76c35c1bf57b9e912aaab2bcd1ff6d
SHA512be13201bf5c29b776c4d259166ccbbfabee4213aa698c25b77b430a66faf02c0af6cf693bf3ea585d49a3db1cad349769486ad0b7351c58bdb123faf3b33012a