Analysis
-
max time kernel
52s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
-
Size
604KB
-
MD5
c01efe28cc72f758cb5548c1b0f4afe1
-
SHA1
23a4aae9c403e8a8484e80780ad911459332bcd6
-
SHA256
b8fda1b4500ac5fa17c42f664f5708ce394b039f1a18fc7e526b714df784af6b
-
SHA512
b1ce44a9919ea0ee91cb3b6d94522656102d95e8c5589d13736045b1919d908fa17e6bf07921e4e94cdc54f3abdc15be3c8fe82a347f6ea955e6958e045ca316
-
SSDEEP
12288:UpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsdrvjXFkvOTT6TEF:UpUNr6YkVRFkgbeqeo68FhqCvLFtT6AF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xchrweo.exe -
Pykspa family
-
UAC bypass 3 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000500000002185a-4.dat family_pykspa behavioral1/files/0x0007000000024312-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "zsljcywumdqhglpehongz.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "xofbsmieujujgjlyzeb.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "kcurjebypfrhfjmacigy.exe" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchrweo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemzhsfszf = "mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dshbqicwkxgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation gncxrwpmqxm.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dshbqicwkxgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dshbqicwkxgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mcsndwrmbpznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dshbqicwkxgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation dshbqicwkxgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zsljcywumdqhglpehongz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation wkyrfwpivhpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation xofbsmieujujgjlyzeb.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation kcurjebypfrhfjmacigy.exe -
Executes dropped EXE 64 IoCs
pid Process 3320 gncxrwpmqxm.exe 4932 kcurjebypfrhfjmacigy.exe 4568 xofbsmieujujgjlyzeb.exe 5148 gncxrwpmqxm.exe 4720 kcurjebypfrhfjmacigy.exe 4896 wkyrfwpivhpbvvue.exe 3684 zsljcywumdqhglpehongz.exe 4732 kcurjebypfrhfjmacigy.exe 5952 gncxrwpmqxm.exe 4444 gncxrwpmqxm.exe 4632 mcsndwrmbpznjlmyyc.exe 1052 zsljcywumdqhglpehongz.exe 3868 gncxrwpmqxm.exe 4384 xchrweo.exe 2132 xchrweo.exe 5976 zsljcywumdqhglpehongz.exe 2468 wkyrfwpivhpbvvue.exe 5312 zsljcywumdqhglpehongz.exe 6084 gncxrwpmqxm.exe 3336 zsljcywumdqhglpehongz.exe 3848 xofbsmieujujgjlyzeb.exe 2496 dshbqicwkxgtoppaz.exe 5028 mcsndwrmbpznjlmyyc.exe 316 gncxrwpmqxm.exe 5696 gncxrwpmqxm.exe 1324 zsljcywumdqhglpehongz.exe 2540 dshbqicwkxgtoppaz.exe 4024 mcsndwrmbpznjlmyyc.exe 4820 dshbqicwkxgtoppaz.exe 4864 kcurjebypfrhfjmacigy.exe 4220 dshbqicwkxgtoppaz.exe 3420 gncxrwpmqxm.exe 1444 gncxrwpmqxm.exe 5420 zsljcywumdqhglpehongz.exe 3396 mcsndwrmbpznjlmyyc.exe 2376 gncxrwpmqxm.exe 4712 zsljcywumdqhglpehongz.exe 4652 kcurjebypfrhfjmacigy.exe 4444 gncxrwpmqxm.exe 4268 gncxrwpmqxm.exe 2024 xofbsmieujujgjlyzeb.exe 1052 gncxrwpmqxm.exe 2900 kcurjebypfrhfjmacigy.exe 2740 xofbsmieujujgjlyzeb.exe 2444 xofbsmieujujgjlyzeb.exe 452 gncxrwpmqxm.exe 4832 xofbsmieujujgjlyzeb.exe 1912 gncxrwpmqxm.exe 5976 dshbqicwkxgtoppaz.exe 1852 wkyrfwpivhpbvvue.exe 2396 gncxrwpmqxm.exe 1796 kcurjebypfrhfjmacigy.exe 5996 dshbqicwkxgtoppaz.exe 4272 gncxrwpmqxm.exe 2856 mcsndwrmbpznjlmyyc.exe 2688 xofbsmieujujgjlyzeb.exe 536 zsljcywumdqhglpehongz.exe 4816 gncxrwpmqxm.exe 5480 xofbsmieujujgjlyzeb.exe 912 kcurjebypfrhfjmacigy.exe 3188 mcsndwrmbpznjlmyyc.exe 2484 wkyrfwpivhpbvvue.exe 5184 gncxrwpmqxm.exe 2188 dshbqicwkxgtoppaz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xchrweo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xchrweo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xchrweo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xchrweo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xchrweo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xchrweo.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "wkyrfwpivhpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe ." xchrweo.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "zsljcywumdqhglpehongz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "wkyrfwpivhpbvvue.exe" xchrweo.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe ." xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjzkyoeoxclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjzkyoeoxclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "wkyrfwpivhpbvvue.exe ." xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "wkyrfwpivhpbvvue.exe ." xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "kcurjebypfrhfjmacigy.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe" xchrweo.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjzkyoeoxclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyrfwpivhpbvvue.exe ." xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "zsljcywumdqhglpehongz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "kcurjebypfrhfjmacigy.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "zsljcywumdqhglpehongz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "wkyrfwpivhpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" xchrweo.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjzkyoeoxclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "mcsndwrmbpznjlmyyc.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcsndwrmbpznjlmyyc.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjzkyoeoxclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" xchrweo.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "kcurjebypfrhfjmacigy.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajxgsgucjm = "wkyrfwpivhpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyixhujyhptb = "kcurjebypfrhfjmacigy.exe ." xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshbqicwkxgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofbsmieujujgjlyzeb.exe" xchrweo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyjpyju = "xofbsmieujujgjlyzeb.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsljcywumdqhglpehongz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrdkugsy = "xofbsmieujujgjlyzeb.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamdpevmxhnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcurjebypfrhfjmacigy.exe" gncxrwpmqxm.exe -
Checks whether UAC is enabled 1 TTPs 48 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xchrweo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xchrweo.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 38 www.whatismyip.ca 41 whatismyip.everdot.org 47 www.whatismyip.ca 16 www.whatismyip.ca 17 www.showmyipaddress.com 24 whatismyipaddress.com 33 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe xchrweo.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File created C:\Windows\SysWOW64\bazdceimkhaxcnxsbotsrvu.aec xchrweo.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe xchrweo.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe xchrweo.exe File opened for modification C:\Windows\SysWOW64\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bazdceimkhaxcnxsbotsrvu.aec xchrweo.exe File created C:\Program Files (x86)\bazdceimkhaxcnxsbotsrvu.aec xchrweo.exe File opened for modification C:\Program Files (x86)\oyixhujyhptbrnioigwgqfpcrgpxbjzvqw.oeo xchrweo.exe File created C:\Program Files (x86)\oyixhujyhptbrnioigwgqfpcrgpxbjzvqw.oeo xchrweo.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe xchrweo.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe xchrweo.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File created C:\Windows\oyixhujyhptbrnioigwgqfpcrgpxbjzvqw.oeo xchrweo.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe xchrweo.exe File opened for modification C:\Windows\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe xchrweo.exe File opened for modification C:\Windows\bazdceimkhaxcnxsbotsrvu.aec xchrweo.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\wkyrfwpivhpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe xchrweo.exe File opened for modification C:\Windows\kcurjebypfrhfjmacigy.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zsljcywumdqhglpehongz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\wkyrfwpivhpbvvue.exe xchrweo.exe File opened for modification C:\Windows\mcsndwrmbpznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\qkedxutsldrjjpukowwqkj.exe gncxrwpmqxm.exe File opened for modification C:\Windows\dshbqicwkxgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\xofbsmieujujgjlyzeb.exe gncxrwpmqxm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsndwrmbpznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkyrfwpivhpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcurjebypfrhfjmacigy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofbsmieujujgjlyzeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsljcywumdqhglpehongz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshbqicwkxgtoppaz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 4384 xchrweo.exe 4384 xchrweo.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 4384 xchrweo.exe 4384 xchrweo.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4384 xchrweo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5356 wrote to memory of 3320 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 87 PID 5356 wrote to memory of 3320 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 87 PID 5356 wrote to memory of 3320 5356 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 87 PID 6092 wrote to memory of 4932 6092 cmd.exe 90 PID 6092 wrote to memory of 4932 6092 cmd.exe 90 PID 6092 wrote to memory of 4932 6092 cmd.exe 90 PID 4496 wrote to memory of 4568 4496 cmd.exe 93 PID 4496 wrote to memory of 4568 4496 cmd.exe 93 PID 4496 wrote to memory of 4568 4496 cmd.exe 93 PID 4568 wrote to memory of 5148 4568 xofbsmieujujgjlyzeb.exe 98 PID 4568 wrote to memory of 5148 4568 xofbsmieujujgjlyzeb.exe 98 PID 4568 wrote to memory of 5148 4568 xofbsmieujujgjlyzeb.exe 98 PID 4864 wrote to memory of 4720 4864 cmd.exe 100 PID 4864 wrote to memory of 4720 4864 cmd.exe 100 PID 4864 wrote to memory of 4720 4864 cmd.exe 100 PID 2376 wrote to memory of 4896 2376 cmd.exe 104 PID 2376 wrote to memory of 4896 2376 cmd.exe 104 PID 2376 wrote to memory of 4896 2376 cmd.exe 104 PID 1916 wrote to memory of 3684 1916 cmd.exe 107 PID 1916 wrote to memory of 3684 1916 cmd.exe 107 PID 1916 wrote to memory of 3684 1916 cmd.exe 107 PID 2308 wrote to memory of 4732 2308 cmd.exe 108 PID 2308 wrote to memory of 4732 2308 cmd.exe 108 PID 2308 wrote to memory of 4732 2308 cmd.exe 108 PID 4896 wrote to memory of 5952 4896 wkyrfwpivhpbvvue.exe 109 PID 4896 wrote to memory of 5952 4896 wkyrfwpivhpbvvue.exe 109 PID 4896 wrote to memory of 5952 4896 wkyrfwpivhpbvvue.exe 109 PID 4732 wrote to memory of 4444 4732 kcurjebypfrhfjmacigy.exe 182 PID 4732 wrote to memory of 4444 4732 kcurjebypfrhfjmacigy.exe 182 PID 4732 wrote to memory of 4444 4732 kcurjebypfrhfjmacigy.exe 182 PID 2212 wrote to memory of 4632 2212 cmd.exe 115 PID 2212 wrote to memory of 4632 2212 cmd.exe 115 PID 2212 wrote to memory of 4632 2212 cmd.exe 115 PID 2320 wrote to memory of 1052 2320 cmd.exe 189 PID 2320 wrote to memory of 1052 2320 cmd.exe 189 PID 2320 wrote to memory of 1052 2320 cmd.exe 189 PID 1052 wrote to memory of 3868 1052 zsljcywumdqhglpehongz.exe 119 PID 1052 wrote to memory of 3868 1052 zsljcywumdqhglpehongz.exe 119 PID 1052 wrote to memory of 3868 1052 zsljcywumdqhglpehongz.exe 119 PID 3320 wrote to memory of 4384 3320 gncxrwpmqxm.exe 120 PID 3320 wrote to memory of 4384 3320 gncxrwpmqxm.exe 120 PID 3320 wrote to memory of 4384 3320 gncxrwpmqxm.exe 120 PID 3320 wrote to memory of 2132 3320 gncxrwpmqxm.exe 121 PID 3320 wrote to memory of 2132 3320 gncxrwpmqxm.exe 121 PID 3320 wrote to memory of 2132 3320 gncxrwpmqxm.exe 121 PID 3916 wrote to memory of 5976 3916 cmd.exe 204 PID 3916 wrote to memory of 5976 3916 cmd.exe 204 PID 3916 wrote to memory of 5976 3916 cmd.exe 204 PID 744 wrote to memory of 2468 744 cmd.exe 129 PID 744 wrote to memory of 2468 744 cmd.exe 129 PID 744 wrote to memory of 2468 744 cmd.exe 129 PID 5296 wrote to memory of 5312 5296 cmd.exe 131 PID 5296 wrote to memory of 5312 5296 cmd.exe 131 PID 5296 wrote to memory of 5312 5296 cmd.exe 131 PID 2468 wrote to memory of 6084 2468 wkyrfwpivhpbvvue.exe 133 PID 2468 wrote to memory of 6084 2468 wkyrfwpivhpbvvue.exe 133 PID 2468 wrote to memory of 6084 2468 wkyrfwpivhpbvvue.exe 133 PID 1608 wrote to memory of 3336 1608 cmd.exe 299 PID 1608 wrote to memory of 3336 1608 cmd.exe 299 PID 1608 wrote to memory of 3336 1608 cmd.exe 299 PID 3872 wrote to memory of 3848 3872 cmd.exe 141 PID 3872 wrote to memory of 3848 3872 cmd.exe 141 PID 3872 wrote to memory of 3848 3872 cmd.exe 141 PID 1584 wrote to memory of 2496 1584 cmd.exe 142 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xchrweo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xchrweo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xchrweo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\xchrweo.exe"C:\Users\Admin\AppData\Local\Temp\xchrweo.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\xchrweo.exe"C:\Users\Admin\AppData\Local\Temp\xchrweo.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6092 -
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵
- Executes dropped EXE
PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵
- Executes dropped EXE
PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵
- Executes dropped EXE
PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Executes dropped EXE
PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵
- Executes dropped EXE
PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5296 -
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
PID:3336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵
- Executes dropped EXE
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵
- Executes dropped EXE
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵
- Executes dropped EXE
PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:5328
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:2976
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵
- Executes dropped EXE
PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- Executes dropped EXE
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵
- Executes dropped EXE
PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Executes dropped EXE
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Executes dropped EXE
PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵
- Executes dropped EXE
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵
- Executes dropped EXE
PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:3732
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4048
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵
- Executes dropped EXE
PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:5424
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:2616
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵
- Executes dropped EXE
PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Executes dropped EXE
PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵
- Executes dropped EXE
PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:3336
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:4112
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- Executes dropped EXE
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵
- Executes dropped EXE
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:4016
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4312
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:5504
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵
- Executes dropped EXE
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5692
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵
- Executes dropped EXE
PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵
- Executes dropped EXE
PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:5468
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵
- Executes dropped EXE
PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:4952
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4908
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3420
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:3252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:1508
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:1944
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:5900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:2616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:2208
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:1852
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:1728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3336
-
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:5860
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:2220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:3356
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:1620
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:3252
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4464
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:996 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:5424
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:1076
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:32
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:856
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:744
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:3124
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:4392
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:4728
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- Checks computer location settings
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3612
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:2476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:1932
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:1872
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:860
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:1944
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:2232
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:1264
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:3560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:3424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4984
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:1588
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:1956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3872
-
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:4084
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5684
-
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:1432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6140
-
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:4756
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:2308
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:3040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:216
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:1176
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:4532
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:3524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:3912
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:996
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:2496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4056
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5180
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:5572
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:1056
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:1432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:4592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5480
-
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:4712
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4700
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:2900
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:960
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:1808
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:2528
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:1912
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3228
-
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:4608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4488
-
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4664
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:4168
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:5316
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:452 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:1256
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:5880
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:2980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4116
-
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:2692
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:4832
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:3708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4548
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2420
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3188
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4676
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:872
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:804
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:5468
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:4216
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:3884
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4760
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:5748
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:5148
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:540
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:2684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵
- Checks computer location settings
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:1304
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:5452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5132
-
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:3568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
PID:744 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:4568
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:1956
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:5392
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:1752
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:32
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:1260
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:1668
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:3636
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:1772
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:3872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:912
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:1596
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:4776
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:2688
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:5348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:404
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4172
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:2308
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:1796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:4400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4672
-
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:3760
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4700
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:5028
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:932
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:5840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5932
-
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:1836
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:3160
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:5228
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5032
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:6008
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:5640
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:5684
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:3352
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:1396
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:4468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6092
-
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:452
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4724
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:4920
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:2016
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:4332
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1084
-
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3388
-
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4168
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:4792
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1920
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:1396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:3392
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:3420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3560
-
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:2024
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:1176
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5180
-
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:5128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:1432
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:2904
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:1576
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4208
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:3928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:2784
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5384
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:2372
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4736
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3544
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4604
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:5572
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:512
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3952
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4332
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:5848
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4304
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:5032
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:3888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4932
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:5320
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:6008
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4236
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4988
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:2372
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:3316
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe1⤵PID:4732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe2⤵PID:2952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:5528
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:2716
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:912
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:3936
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:5688
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:2476
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:5592
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:3564
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:3560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:456
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:4632
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe1⤵PID:4764
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe .1⤵PID:4420
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe .2⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dshbqicwkxgtoppaz.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .1⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe .2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xofbsmieujujgjlyzeb.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3772
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:5148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:5900
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:5432
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:2716
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exeC:\Users\Admin\AppData\Local\Temp\zsljcywumdqhglpehongz.exe .2⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zsljcywumdqhglpehongz.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wkyrfwpivhpbvvue.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:4792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1836
-
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2928
-
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe .2⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xofbsmieujujgjlyzeb.exe*."3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe1⤵PID:736
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe .1⤵PID:2196
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe .2⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mcsndwrmbpznjlmyyc.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exeC:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kcurjebypfrhfjmacigy.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exeC:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mcsndwrmbpznjlmyyc.exe1⤵PID:3760
-
C:\Windows\mcsndwrmbpznjlmyyc.exemcsndwrmbpznjlmyyc.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe .1⤵PID:456
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wkyrfwpivhpbvvue.exe*."3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wkyrfwpivhpbvvue.exe1⤵PID:5724
-
C:\Windows\wkyrfwpivhpbvvue.exewkyrfwpivhpbvvue.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsljcywumdqhglpehongz.exe .1⤵PID:4988
-
C:\Windows\zsljcywumdqhglpehongz.exezsljcywumdqhglpehongz.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zsljcywumdqhglpehongz.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe1⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\dshbqicwkxgtoppaz.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dshbqicwkxgtoppaz.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exeC:\Users\Admin\AppData\Local\Temp\xofbsmieujujgjlyzeb.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\mcsndwrmbpznjlmyyc.exe .2⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mcsndwrmbpznjlmyyc.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe1⤵PID:5028
-
C:\Windows\xofbsmieujujgjlyzeb.exexofbsmieujujgjlyzeb.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcurjebypfrhfjmacigy.exe .1⤵PID:4496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:408
-
-
C:\Windows\kcurjebypfrhfjmacigy.exekcurjebypfrhfjmacigy.exe .2⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kcurjebypfrhfjmacigy.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:4748
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:1492
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dshbqicwkxgtoppaz.exe1⤵PID:5148
-
C:\Windows\dshbqicwkxgtoppaz.exedshbqicwkxgtoppaz.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:3580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcurjebypfrhfjmacigy.exe1⤵PID:5696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xofbsmieujujgjlyzeb.exe .1⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkyrfwpivhpbvvue.exe .1⤵PID:3372
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5d455faed48248ffa5183be94475dc4ea
SHA1344b3255ec9aff14c9169e17e22cdf944ffd070b
SHA2566df29bf5b80876e0e0c686b0e0e12d7ef901d9e441fb242af56ab99cd501dd0e
SHA51269406022d2811b48d4a4d1599fa55d2a6f339b27f86f6b17f5284599aaa2d465da7cc26a9e2d18b4733f42e1d473d5857f9ed612da2cf6571b1d6b2e31b1ba2b
-
Filesize
280B
MD50091bb396daf98004dd8fbbcf8c8c515
SHA1784fe844f0446493da14ffb9abc870b7c572fa7d
SHA2565dbc7e37012b7e5680d48b70552587a7a739ec32496035df1a791f9969ba0228
SHA5127d511ea7d6af58fb1e5121fba702271e951f24045614761f80ef908c554504ce94c1269559f9d1dfee013e872e78a490cee6de09d906804a6d771f470f587097
-
Filesize
280B
MD530ec271e25d6da09e00334f34822a125
SHA148fcded115beaa8d5d5c1b1a322afd4de9f8b13d
SHA256f07474ea3088cffde24b07cfb60ecde59aa14738376bddb7d5d51ab2a0a5caca
SHA512b18748bd6215e871cc0d0fbd24e5c2d0da0b0f73a243addebf8a126f15022c20637bce5fd76be6d6fc40a9bbdd273e6b4c28e7663009bf7d1c738fdbea0d1b93
-
Filesize
280B
MD592461967c100ddabd218018c2778d876
SHA1078f639f31e13be414b9489ab0e9b207a25d4847
SHA2569b407846fddae7e2e8c32617aaeaacc8676574b2c970627c77f52dbbf0263f97
SHA5129ec4824eb129b8947b999e961c9ffd59b293bb8e788f8f6490bfd3fecf7b1cb4c3db42ba578765ee661751f0ef43fad1710f1f1983f8b8aa2dbe624b82777d5f
-
Filesize
280B
MD5e311d3692c5a6981372001c1ecec6446
SHA1c2d1720b9d539c74ddbe7402fabffd5ca4c87f09
SHA2560cd65279d2db11e32040589de34c827df8aee50637e84428882411b91a092c77
SHA5128e70228932e2c2a4f2c615075e624aaa1b21c3a4e524cc9ec3680f6bee23ea43dae8f215c0c3900a6fe44b628f6065c2022eb82b1da536ecb8995e7ecc4e59cc
-
Filesize
280B
MD53436a85d4bce198dc6597a2d9d35c423
SHA1314da0f4d87da0d6d7e6affe0f8b0488132e64b8
SHA25635b741ef904ad563376d79f772198bba3cfe1dc377ec7ef85650aac27e6a1b2e
SHA512b3fe105026b6f438d0af2d9e1c957dac99893890602d09005448a2ba3f331a2a73e9f6f566ef3c2244835f14f33cf661f1ecad71b713e7ac18435671af92a590
-
Filesize
280B
MD5236f518b44fce06756c24e7b7a74897c
SHA1a6829fe2f15ac5fc302f6b5238890084df806330
SHA2566edb50e65feffe094d66001b956fa061924e0df9e15e35580370cf34d7da7ab8
SHA5121f4e2f575b021a1259c534370894c00a4227b6b581967812ea63ae7648c8d52078fd935ce0737c7b2cce82ed309f019c049c5c50d58d16e5afb28fe6b1fbb5d1
-
Filesize
320KB
MD5669f7fc2eb7fb5c4108e38ab26bbfd96
SHA1bb650d81826897ce7c203360f46b7575bb95c38e
SHA256ea040ad76dc37e989ace4f6f9a35d6bf66fad6f92c91d18325285deda0b168a3
SHA512601a1938db4d67394f1b70deea4308b7af4a1d8e3f6c2d8c85eb2901ae038114c677892a314b6ffbaa192db2d564664de5358f0739d63b1b713d53f7a0bbcd19
-
Filesize
716KB
MD57fdf9607636152fa101e8eba3496b1b9
SHA115441a84c6b0d6129d26dd5663d675b6c9cf556c
SHA2561fde5099f6f75d4d41f28ece6e8a3a9e17898b0a2b7ea89c426e973e7b7a2862
SHA51283bf562a55470b11b51ceb14dc627a485de00845c7b1876e0c333eee9b66e2e8887da620e3002cad99d9ca7d96a650b54462e856c6a3d931262097c3d543b07a
-
Filesize
280B
MD5d5935e046cf38c21ad6ea78fa85f9d7b
SHA1060e42af9b8c6e051e4e5f48bcdf4bb1bfdb99cc
SHA256cf6adeba9ad69eb161222f507db13ea00ed6647e0a9bdf6905016140274a684f
SHA5129c487ee777f22e3c8d828685a0d691ed6b705f2f4e8ec014705edcc8d90e592606aba5ddc5eef8aa3911370203e624de2652f5b6e3dbd304e4af63c73d2403e7
-
Filesize
4KB
MD52a2ed55a60af08663360f53d518ac4ad
SHA1c4f78198817d655c2456da36618b24fbdad411ea
SHA2569b801b6ce3e0e2b61f397fa0e12c9deb4898950359411699bc2dc8909511702d
SHA51222f2a71c5626958c6e512d11dea548aed4897b15bc4fca9181c5975d60cef6ee9b34e6e54b1acd15b06d62f77c15a5b175b759e806f063493f6c45f6c3bc7efb
-
Filesize
604KB
MD5c01efe28cc72f758cb5548c1b0f4afe1
SHA123a4aae9c403e8a8484e80780ad911459332bcd6
SHA256b8fda1b4500ac5fa17c42f664f5708ce394b039f1a18fc7e526b714df784af6b
SHA512b1ce44a9919ea0ee91cb3b6d94522656102d95e8c5589d13736045b1919d908fa17e6bf07921e4e94cdc54f3abdc15be3c8fe82a347f6ea955e6958e045ca316