Analysis
-
max time kernel
41s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe
-
Size
656KB
-
MD5
b83fcfe1963876af901a35e7f36a53a0
-
SHA1
3fb06cf673b7034254f4beae6b14e7122f82816f
-
SHA256
9aab7948f428921efcc735e88e5adad78ff27a73e6cb2d54d9cfddae3286cf22
-
SHA512
5b4a32891aed254617e48f92bf7003a68a1f377ae9b9a73ce7209ea98a389d39270ba311be1e21b6bb051bd51968f51bfdb6c73624f8000edb84c041ed5201e3
-
SSDEEP
12288:ZgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pU11:JxsKXa+hHyWseBg+1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00040000000227dd-4.dat family_pykspa behavioral1/files/0x000e00000002405c-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "ezslcxxnjlbhvhkomxsle.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "crobzshctlkycoyzbxg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "crobzshctlkycoyzbxg.exe" efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezslcxxnjlbhvhkomxsle.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "bnhrmcogujfqrahf.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjzpdvsfyxknyhhidl.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "pjbtjdcrmnchufhkhrld.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "rfbnkcqkarpcfqzzav.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "crobzshctlkycoyzbxg.exe" efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe" efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "ivqbxobujzwikucbb.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "crobzshctlkycoyzbxg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\onu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "ivqbxobujzwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\prbbms = "ivqbxobujzwikucbb.exe" wcycexrfgmi.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wcycexrfgmi.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation evujjevslfgwcqcfjhsji.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wcycexrfgmi.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation rfbnkcqkarpcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation pfdrqkawohhwbozbeblb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation crobzshctlkycoyzbxg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation bnhrmcogujfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation ivqbxobujzwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 wcycexrfgmi.exe 4868 rfbnkcqkarpcfqzzav.exe 5880 rfbnkcqkarpcfqzzav.exe 4856 wcycexrfgmi.exe 4964 crobzshctlkycoyzbxg.exe 4020 ivqbxobujzwikucbb.exe 3896 crobzshctlkycoyzbxg.exe 2096 evujjevslfgwcqcfjhsji.exe 2800 wcycexrfgmi.exe 376 wcycexrfgmi.exe 2884 crobzshctlkycoyzbxg.exe 452 bnhrmcogujfqrahf.exe 3388 wcycexrfgmi.exe 1288 efonx.exe 5512 efonx.exe 1740 ivqbxobujzwikucbb.exe 4376 bnhrmcogujfqrahf.exe 2676 crobzshctlkycoyzbxg.exe 1092 pfdrqkawohhwbozbeblb.exe 3944 wcycexrfgmi.exe 3120 wcycexrfgmi.exe 5772 crobzshctlkycoyzbxg.exe 3148 pfdrqkawohhwbozbeblb.exe 1064 bnhrmcogujfqrahf.exe 116 pfdrqkawohhwbozbeblb.exe 1912 pfdrqkawohhwbozbeblb.exe 4268 ivqbxobujzwikucbb.exe 4260 rfbnkcqkarpcfqzzav.exe 676 rfbnkcqkarpcfqzzav.exe 448 wcycexrfgmi.exe 4612 wcycexrfgmi.exe 4848 wcycexrfgmi.exe 5864 evujjevslfgwcqcfjhsji.exe 3352 wcycexrfgmi.exe 4964 bnhrmcogujfqrahf.exe 5920 pfdrqkawohhwbozbeblb.exe 4832 pfdrqkawohhwbozbeblb.exe 4044 wcycexrfgmi.exe 5520 wcycexrfgmi.exe 3220 ivqbxobujzwikucbb.exe 548 ivqbxobujzwikucbb.exe 3372 wcycexrfgmi.exe 3128 crobzshctlkycoyzbxg.exe 3580 pfdrqkawohhwbozbeblb.exe 3212 bnhrmcogujfqrahf.exe 2912 wcycexrfgmi.exe 4060 evujjevslfgwcqcfjhsji.exe 5248 wcycexrfgmi.exe 2776 rfbnkcqkarpcfqzzav.exe 2020 crobzshctlkycoyzbxg.exe 5484 wcycexrfgmi.exe 3576 rfbnkcqkarpcfqzzav.exe 1856 evujjevslfgwcqcfjhsji.exe 1980 evujjevslfgwcqcfjhsji.exe 5168 crobzshctlkycoyzbxg.exe 2056 evujjevslfgwcqcfjhsji.exe 1984 evujjevslfgwcqcfjhsji.exe 3976 wcycexrfgmi.exe 1584 rfbnkcqkarpcfqzzav.exe 5028 wcycexrfgmi.exe 4816 wcycexrfgmi.exe 4864 evujjevslfgwcqcfjhsji.exe 1028 ivqbxobujzwikucbb.exe 4644 pfdrqkawohhwbozbeblb.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys efonx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc efonx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager efonx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys efonx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc efonx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power efonx.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvdb = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rzflpxkn = "rjzpdvsfyxknyhhidl.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfqrdkn = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "pfdrqkawohhwbozbeblb.exe ." efonx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "ivqbxobujzwikucbb.exe ." efonx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" efonx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" efonx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "pfdrqkawohhwbozbeblb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvdb = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfqrdkn = "evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfqrdkn = "pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe ." efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvdb = "pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whqzgrhnzrx = "brftfvqbspabkrpo.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iryfkthlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmdsljxrrfjvfgieng.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe ." efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "crobzshctlkycoyzbxg.exe ." efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "crobzshctlkycoyzbxg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iryfkthlv = "pjbtjdcrmnchufhkhrld.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iryfkthlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izodqhdphfrtdlkke.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "crobzshctlkycoyzbxg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rzflpxkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjzpdvsfyxknyhhidl.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "pfdrqkawohhwbozbeblb.exe ." efonx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfqrdkn = "crobzshctlkycoyzbxg.exe" efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "evujjevslfgwcqcfjhsji.exe ." efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "evujjevslfgwcqcfjhsji.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe ." efonx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfqrdkn = "rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqbxobujzwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvdb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbnkcqkarpcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crobzshctlkycoyzbxg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rvhjweis = "rfbnkcqkarpcfqzzav.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rzflpxkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjbtjdcrmnchufhkhrld.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvdb = "pfdrqkawohhwbozbeblb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inadrafqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpzhtkrexeb = "izodqhdphfrtdlkke.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bhvzoyeqyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhrmcogujfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efonx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evujjevslfgwcqcfjhsji.exe ." wcycexrfgmi.exe -
Checks whether UAC is enabled 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA efonx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" efonx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA efonx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wcycexrfgmi.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 www.whatismyip.ca 34 whatismyip.everdot.org 16 www.showmyipaddress.com 18 whatismyipaddress.com 22 whatismyip.everdot.org 24 www.whatismyip.ca 28 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe efonx.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe efonx.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe efonx.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe efonx.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe efonx.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe efonx.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe efonx.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File created C:\Windows\SysWOW64\vvdbkoouwzjixupbovppxveiio.tdc efonx.exe File opened for modification C:\Windows\SysWOW64\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\vvdbkoouwzjixupbovppxveiio.tdc efonx.exe File opened for modification C:\Program Files (x86)\whajdsduhvqaaioljbgrktncnerfakksyvtlq.udx efonx.exe File created C:\Program Files (x86)\whajdsduhvqaaioljbgrktncnerfakksyvtlq.udx efonx.exe File opened for modification C:\Program Files (x86)\vvdbkoouwzjixupbovppxveiio.tdc efonx.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe efonx.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe efonx.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe efonx.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe efonx.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe efonx.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe efonx.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\whajdsduhvqaaioljbgrktncnerfakksyvtlq.udx efonx.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe efonx.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File created C:\Windows\whajdsduhvqaaioljbgrktncnerfakksyvtlq.udx efonx.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\vnndeasqkfhyfuhlqpbttj.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\crobzshctlkycoyzbxg.exe wcycexrfgmi.exe File opened for modification C:\Windows\pfdrqkawohhwbozbeblb.exe wcycexrfgmi.exe File opened for modification C:\Windows\evujjevslfgwcqcfjhsji.exe wcycexrfgmi.exe File opened for modification C:\Windows\bnhrmcogujfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\rfbnkcqkarpcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\ivqbxobujzwikucbb.exe wcycexrfgmi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izodqhdphfrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izodqhdphfrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvmdsljxrrfjvfgieng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crobzshctlkycoyzbxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfbnkcqkarpcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crobzshctlkycoyzbxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brftfvqbspabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvmdsljxrrfjvfgieng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcycexrfgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izodqhdphfrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfbnkcqkarpcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfbnkcqkarpcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjzpdvsfyxknyhhidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crobzshctlkycoyzbxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfbnkcqkarpcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crobzshctlkycoyzbxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjzpdvsfyxknyhhidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brftfvqbspabkrpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfbnkcqkarpcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfdrqkawohhwbozbeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqbxobujzwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evujjevslfgwcqcfjhsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izodqhdphfrtdlkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhrmcogujfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crobzshctlkycoyzbxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 1288 efonx.exe 1288 efonx.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 1288 efonx.exe 1288 efonx.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1288 efonx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5252 wrote to memory of 2700 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 89 PID 5252 wrote to memory of 2700 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 89 PID 5252 wrote to memory of 2700 5252 JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe 89 PID 4672 wrote to memory of 4868 4672 cmd.exe 93 PID 4672 wrote to memory of 4868 4672 cmd.exe 93 PID 4672 wrote to memory of 4868 4672 cmd.exe 93 PID 4732 wrote to memory of 5880 4732 cmd.exe 96 PID 4732 wrote to memory of 5880 4732 cmd.exe 96 PID 4732 wrote to memory of 5880 4732 cmd.exe 96 PID 5880 wrote to memory of 4856 5880 rfbnkcqkarpcfqzzav.exe 99 PID 5880 wrote to memory of 4856 5880 rfbnkcqkarpcfqzzav.exe 99 PID 5880 wrote to memory of 4856 5880 rfbnkcqkarpcfqzzav.exe 99 PID 4832 wrote to memory of 4964 4832 cmd.exe 102 PID 4832 wrote to memory of 4964 4832 cmd.exe 102 PID 4832 wrote to memory of 4964 4832 cmd.exe 102 PID 4796 wrote to memory of 4020 4796 cmd.exe 105 PID 4796 wrote to memory of 4020 4796 cmd.exe 105 PID 4796 wrote to memory of 4020 4796 cmd.exe 105 PID 5712 wrote to memory of 3896 5712 cmd.exe 108 PID 5712 wrote to memory of 3896 5712 cmd.exe 108 PID 5712 wrote to memory of 3896 5712 cmd.exe 108 PID 5924 wrote to memory of 2096 5924 cmd.exe 109 PID 5924 wrote to memory of 2096 5924 cmd.exe 109 PID 5924 wrote to memory of 2096 5924 cmd.exe 109 PID 4020 wrote to memory of 2800 4020 ivqbxobujzwikucbb.exe 110 PID 4020 wrote to memory of 2800 4020 ivqbxobujzwikucbb.exe 110 PID 4020 wrote to memory of 2800 4020 ivqbxobujzwikucbb.exe 110 PID 2096 wrote to memory of 376 2096 evujjevslfgwcqcfjhsji.exe 112 PID 2096 wrote to memory of 376 2096 evujjevslfgwcqcfjhsji.exe 112 PID 2096 wrote to memory of 376 2096 evujjevslfgwcqcfjhsji.exe 112 PID 5868 wrote to memory of 2884 5868 cmd.exe 117 PID 5868 wrote to memory of 2884 5868 cmd.exe 117 PID 5868 wrote to memory of 2884 5868 cmd.exe 117 PID 5716 wrote to memory of 452 5716 cmd.exe 118 PID 5716 wrote to memory of 452 5716 cmd.exe 118 PID 5716 wrote to memory of 452 5716 cmd.exe 118 PID 452 wrote to memory of 3388 452 bnhrmcogujfqrahf.exe 119 PID 452 wrote to memory of 3388 452 bnhrmcogujfqrahf.exe 119 PID 452 wrote to memory of 3388 452 bnhrmcogujfqrahf.exe 119 PID 2700 wrote to memory of 1288 2700 wcycexrfgmi.exe 120 PID 2700 wrote to memory of 1288 2700 wcycexrfgmi.exe 120 PID 2700 wrote to memory of 1288 2700 wcycexrfgmi.exe 120 PID 2700 wrote to memory of 5512 2700 wcycexrfgmi.exe 121 PID 2700 wrote to memory of 5512 2700 wcycexrfgmi.exe 121 PID 2700 wrote to memory of 5512 2700 wcycexrfgmi.exe 121 PID 2088 wrote to memory of 1740 2088 cmd.exe 126 PID 2088 wrote to memory of 1740 2088 cmd.exe 126 PID 2088 wrote to memory of 1740 2088 cmd.exe 126 PID 5052 wrote to memory of 4376 5052 cmd.exe 127 PID 5052 wrote to memory of 4376 5052 cmd.exe 127 PID 5052 wrote to memory of 4376 5052 cmd.exe 127 PID 2368 wrote to memory of 2676 2368 cmd.exe 132 PID 2368 wrote to memory of 2676 2368 cmd.exe 132 PID 2368 wrote to memory of 2676 2368 cmd.exe 132 PID 5948 wrote to memory of 1092 5948 cmd.exe 133 PID 5948 wrote to memory of 1092 5948 cmd.exe 133 PID 5948 wrote to memory of 1092 5948 cmd.exe 133 PID 2676 wrote to memory of 3944 2676 crobzshctlkycoyzbxg.exe 142 PID 2676 wrote to memory of 3944 2676 crobzshctlkycoyzbxg.exe 142 PID 2676 wrote to memory of 3944 2676 crobzshctlkycoyzbxg.exe 142 PID 1092 wrote to memory of 3120 1092 pfdrqkawohhwbozbeblb.exe 146 PID 1092 wrote to memory of 3120 1092 pfdrqkawohhwbozbeblb.exe 146 PID 1092 wrote to memory of 3120 1092 pfdrqkawohhwbozbeblb.exe 146 PID 884 wrote to memory of 5772 884 cmd.exe 151 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" efonx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" efonx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efonx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b83fcfe1963876af901a35e7f36a53a0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b83fcfe1963876af901a35e7f36a53a0.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\efonx.exe"C:\Users\Admin\AppData\Local\Temp\efonx.exe" "-C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1288
-
-
C:\Users\Admin\AppData\Local\Temp\efonx.exe"C:\Users\Admin\AppData\Local\Temp\efonx.exe" "-C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵
- Executes dropped EXE
PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵
- Executes dropped EXE
PID:2800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5712 -
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵
- Executes dropped EXE
PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵
- Executes dropped EXE
PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵
- Executes dropped EXE
PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5716 -
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵
- Executes dropped EXE
PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5948 -
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵
- Executes dropped EXE
PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵
- Executes dropped EXE
PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:3492
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵
- Executes dropped EXE
PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵
- Executes dropped EXE
PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:2628
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3080
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵
- Executes dropped EXE
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵
- Executes dropped EXE
PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵
- Executes dropped EXE
PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5920 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵
- Executes dropped EXE
PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵
- Executes dropped EXE
PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:4020
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:2124
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵
- Executes dropped EXE
PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:1292
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵
- Executes dropped EXE
PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5368
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵
- Executes dropped EXE
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵
- Executes dropped EXE
PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵
- Executes dropped EXE
PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:1908
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵
- Executes dropped EXE
PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:3468
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:5488
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:5288
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵
- Executes dropped EXE
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:2864
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵
- Executes dropped EXE
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:5352
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵
- Executes dropped EXE
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:2976
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:1428
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:1828
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵
- Executes dropped EXE
PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:2320
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵
- Executes dropped EXE
PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:5792
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3492
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
PID:536 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:3500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5864
-
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:4372
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:3232
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:2536
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5236
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
PID:716 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:6140
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:1444
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:4880
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3380
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:5824
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:4956
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:3752
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3372
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:5152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:2636
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:5520
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:5632
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:2408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:1712
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:2712
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5308
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:2168
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:4892
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:3392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:5976
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:4876
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:4052
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:868
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:1824
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:2520
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3124
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3388
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:1124
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:332
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:4992
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:1468
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:3232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6084
-
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:1048
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:5236
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:1812
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:4736
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:3804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:6072
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5168
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5716
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5912
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4136
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5544
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5168
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"4⤵PID:5228
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe1⤵PID:2004
-
C:\Windows\rjzpdvsfyxknyhhidl.exerjzpdvsfyxknyhhidl.exe2⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe .1⤵PID:2372
-
C:\Windows\izodqhdphfrtdlkke.exeizodqhdphfrtdlkke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\izodqhdphfrtdlkke.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe1⤵PID:2148
-
C:\Windows\brftfvqbspabkrpo.exebrftfvqbspabkrpo.exe2⤵
- System Location Discovery: System Language Discovery
PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe .1⤵PID:4580
-
C:\Windows\izodqhdphfrtdlkke.exeizodqhdphfrtdlkke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\izodqhdphfrtdlkke.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe1⤵PID:184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exeC:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe2⤵
- System Location Discovery: System Language Discovery
PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exeC:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:3864
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exeC:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe2⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:4064
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exeC:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .2⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:3884
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:2612
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:4612
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:5484
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4784
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:3148
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:2912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe1⤵PID:4752
-
C:\Windows\brftfvqbspabkrpo.exebrftfvqbspabkrpo.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .1⤵PID:4708
-
C:\Windows\pjbtjdcrmnchufhkhrld.exepjbtjdcrmnchufhkhrld.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe1⤵PID:2640
-
C:\Windows\pjbtjdcrmnchufhkhrld.exepjbtjdcrmnchufhkhrld.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe .1⤵PID:4260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5064
-
-
C:\Windows\izodqhdphfrtdlkke.exeizodqhdphfrtdlkke.exe .2⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\izodqhdphfrtdlkke.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:3608
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe1⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe2⤵
- System Location Discovery: System Language Discovery
PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .1⤵PID:2920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5472
-
-
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exeC:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3760
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:1488
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe1⤵PID:3388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:232
-
-
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exeC:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5548
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\izodqhdphfrtdlkke.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:5544
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:4720
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:3056
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:2776
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:2544
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:2336
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:868
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:3516
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵
- Checks computer location settings
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵
- Checks computer location settings
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:6112
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4956
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:4920
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5716
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- Checks computer location settings
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:1828
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:4848
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5760
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:5292
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:5188
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:4364
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5752
-
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:5784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5368
-
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:548
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:3812
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:2948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:4176
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:5092
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:1892
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:6052
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:5976
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:3260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3264
-
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:4180
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:4052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:1824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:3704
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:4816
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4560
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:3372
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe1⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Windows\brftfvqbspabkrpo.exebrftfvqbspabkrpo.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe .1⤵PID:4652
-
C:\Windows\rjzpdvsfyxknyhhidl.exerjzpdvsfyxknyhhidl.exe .2⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rjzpdvsfyxknyhhidl.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe1⤵PID:2304
-
C:\Windows\pjbtjdcrmnchufhkhrld.exepjbtjdcrmnchufhkhrld.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .1⤵PID:1256
-
C:\Windows\pjbtjdcrmnchufhkhrld.exepjbtjdcrmnchufhkhrld.exe .2⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exeC:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exeC:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe .2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\brftfvqbspabkrpo.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe1⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exeC:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exeC:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .2⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."3⤵PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:2408
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:3444
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:2704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5300
-
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:5888
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:2452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:4116
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:1836
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:408
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:1228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:1604
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:4532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:5228
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:4788
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:3164
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:3884
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:1708
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:6024
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:2060
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:5784
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:3120
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:2056
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:6052
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:5920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2944
-
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:2308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:1488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:4020
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:6124
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:4816
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:4260
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:5732
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe2⤵PID:1756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:2168
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:1904
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:5876
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:1148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:548
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:2452
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:4320
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:4756
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:208
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe1⤵PID:3840
-
C:\Windows\pjbtjdcrmnchufhkhrld.exepjbtjdcrmnchufhkhrld.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:4672
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe .1⤵PID:5628
-
C:\Windows\rjzpdvsfyxknyhhidl.exerjzpdvsfyxknyhhidl.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rjzpdvsfyxknyhhidl.exe*."3⤵PID:5472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:1432
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe1⤵PID:5348
-
C:\Windows\brftfvqbspabkrpo.exebrftfvqbspabkrpo.exe2⤵PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:2800
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cvmdsljxrrfjvfgieng.exe .1⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5104
-
-
C:\Windows\cvmdsljxrrfjvfgieng.execvmdsljxrrfjvfgieng.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\cvmdsljxrrfjvfgieng.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exeC:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe .2⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rfbnkcqkarpcfqzzav.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe .1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exeC:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pjbtjdcrmnchufhkhrld.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe1⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exeC:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .1⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exeC:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .2⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\izodqhdphfrtdlkke.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:4168
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:2320
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:1348
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe .1⤵PID:4852
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe .2⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rfbnkcqkarpcfqzzav.exe*."3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:3084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:5012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5644
-
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:4536
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:5652
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:6136
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:5628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4556
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:5904
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:4164
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:3624
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:2000
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rfbnkcqkarpcfqzzav.exe1⤵PID:1132
-
C:\Windows\rfbnkcqkarpcfqzzav.exerfbnkcqkarpcfqzzav.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:2652
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe .1⤵PID:3080
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe .2⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\evujjevslfgwcqcfjhsji.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:5744
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5572
-
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4436
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:836
-
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe .1⤵PID:3548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5204
-
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\crobzshctlkycoyzbxg.exe*."3⤵PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe1⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe1⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .1⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exeC:\Users\Admin\AppData\Local\Temp\evujjevslfgwcqcfjhsji.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\evujjevslfgwcqcfjhsji.exe*."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exeC:\Users\Admin\AppData\Local\Temp\pfdrqkawohhwbozbeblb.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\pfdrqkawohhwbozbeblb.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe1⤵PID:3088
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe .1⤵PID:4712
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe .2⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\bnhrmcogujfqrahf.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crobzshctlkycoyzbxg.exe1⤵PID:5748
-
C:\Windows\crobzshctlkycoyzbxg.execrobzshctlkycoyzbxg.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:1756
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\rfbnkcqkarpcfqzzav.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe .2⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ivqbxobujzwikucbb.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:5216
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ivqbxobujzwikucbb.exe .1⤵PID:4768
-
C:\Windows\ivqbxobujzwikucbb.exeivqbxobujzwikucbb.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ivqbxobujzwikucbb.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bnhrmcogujfqrahf.exe1⤵PID:116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1716
-
-
C:\Windows\bnhrmcogujfqrahf.exebnhrmcogujfqrahf.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:6128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6140
-
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe1⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe2⤵PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exeC:\Users\Admin\AppData\Local\Temp\bnhrmcogujfqrahf.exe .2⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\bnhrmcogujfqrahf.exe*."3⤵PID:3220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exeC:\Users\Admin\AppData\Local\Temp\ivqbxobujzwikucbb.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exeC:\Users\Admin\AppData\Local\Temp\crobzshctlkycoyzbxg.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\crobzshctlkycoyzbxg.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c evujjevslfgwcqcfjhsji.exe1⤵PID:4028
-
C:\Windows\evujjevslfgwcqcfjhsji.exeevujjevslfgwcqcfjhsji.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe .1⤵PID:5592
-
C:\Windows\pfdrqkawohhwbozbeblb.exepfdrqkawohhwbozbeblb.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pfdrqkawohhwbozbeblb.exe*."3⤵PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pfdrqkawohhwbozbeblb.exe1⤵PID:2492
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5173ccaf2898804074958f19f72cb08db
SHA1c106485af8b9b412aa3a41a459fca9087df088ce
SHA2566d0495d65644b4155c604eac1b6f7fb78ac47938b37f0e8c68f691920825ae26
SHA512d3f3b6adcb02965d1e1ddeb1f6114ce89b33cac30ea003a10619a75a2fc8a0121ea5920fd359bd36f21f362b085e779c6c1f84eadf475eb91b0737753debc4f7
-
Filesize
272B
MD5d9c04b4353db1e00aa5e1d736b6fbabf
SHA1f88a7f1d53a830a909be8697fd177dc19d2dcdd8
SHA256e6fedf4120ce3e5244ea45a672e3f5d96febaa88c2a399153bc4bbf569b85ca2
SHA512b04b0cb02cb2970bd8faa2efdea92fd9054ee5e18c35d4703f626ce58dafad2dfdbf9dcd1f1d22ae399f9342c19ab3c766a07df1c3711ac42099bec9d5d64f0c
-
Filesize
272B
MD5191d08fb0b64dfaa2064d58b92b9908b
SHA1c9e3790aea029b65d3ebf9b1ff31e09958da56d7
SHA2562c22de693e2f1c4e312dff1f443ccd7916bb27d7ed199194203ffdc896e36e25
SHA512b66d7fca1f7bc710eedde5059c54404bfd8269ac6deb4916e0101b3a25b49b51d13b3d42706fb8ee2153015bce92dfd6bee12a2f641a062e7c176de587633507
-
Filesize
272B
MD50eeaf831d2254c1cb67b3a0ff7b99342
SHA1593b71ea07839d6c5077ca0de7654d55e72ef0ef
SHA256b0a55af599634e89bff8f0c39c867762a5ed9c9344cdab292bc1d498650531c3
SHA5122ed09be05820f54de24fb63cd67d488f550e71a6941459108cc3add65faf547065ae1860da69cd38fa38e937fb0b4882ef6c2a0c509e66b06a96e227e9f95bab
-
Filesize
272B
MD506da01e51ddf19c3dd6098cb4e832111
SHA11cd19f242c19351a62c0135fc1b96bc49d75e215
SHA2565fdc7f6a6db2ca790c109616cda65a0b14588aa7fe1828ea2d3176b6deae85b8
SHA512ca30921b5af9db38501a3ea91c7232b13d28b918ce73d7d56b3d9f156317ba0226cca418615275396806c2f1ab94273334eadaff520ced947618a71775b3db09
-
Filesize
272B
MD5f19ea128259dd056c543290bafa6452a
SHA1863fecca4c3abba735a48978dc81dd722dc7fce5
SHA256f0408963777902b43275314bca84b4d4ab09092bb48fb7f2700b9f833b804dae
SHA512502c6ef5bd56b78c70d5b0d3a6383f8988c31a836f016696da0318806e1201ea18190ddfa0156d89b80c0074a667fd3453b1d8bdc610ee57bb81d58fd5591410
-
Filesize
716KB
MD5082a1feb8ae407e8bbb76d213e616038
SHA1eeb91b6dcc33b2d9b0126a86535c5b34a38bd3bb
SHA256fd7ca082fd1f46df4b0889cd44d5df7368656374dbbc4cf924f9234c7bc98e58
SHA51252edcc65a3ae470b6f87e0a57c00cfbded08eff39836cfc7b334f6f6283a2e401018778743ffef4159b2f32171f2f3564404151e38b878538c781e96e74ffece
-
Filesize
320KB
MD51dd5dd5561723f37ccc81e15ecdbf830
SHA1eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5
-
Filesize
272B
MD59ed05e9cc778a857b905fc6f52a664ec
SHA15abb5545dbf65e717fa99b3ba95fb173b1c26c19
SHA2565598fa00aba3376f05f8cf3b1499c975da65c41a9e688c38065e0ca64b8d2c29
SHA512a4d8141e9b05090c47f524f67ba415d444e8d5ab632393f0095c41818e515f16065174abb1b103123c4e3a5f5cb6014ebf47007372a96407d2d3de7b4f5401e0
-
Filesize
3KB
MD55ff48510b43f94c7da9fea97b15e3eb2
SHA1b3dc5158f7d4de36f92c2289811d86ebda8e4e69
SHA256225b0759c951c4a15e25b6013c9346bfa874cd78be32198d46918d9649511499
SHA5129677341e8e9b0c76a8aacc83f94b329df79a3e27ef2d9f1b47a396ecc38870264667393d3e41db38f40fc20425e773dcd36697eb9725800b59f7dbf9d0311541
-
Filesize
656KB
MD5b83fcfe1963876af901a35e7f36a53a0
SHA13fb06cf673b7034254f4beae6b14e7122f82816f
SHA2569aab7948f428921efcc735e88e5adad78ff27a73e6cb2d54d9cfddae3286cf22
SHA5125b4a32891aed254617e48f92bf7003a68a1f377ae9b9a73ce7209ea98a389d39270ba311be1e21b6bb051bd51968f51bfdb6c73624f8000edb84c041ed5201e3