Analysis
-
max time kernel
45s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
-
Size
492KB
-
MD5
bdec6237d2f7f80e1250e09df51e3d02
-
SHA1
73bbd2918a981f181299342a44b8afc0e0923f7d
-
SHA256
a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
-
SHA512
e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b
-
SSDEEP
12288:8pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsr:8pUNr6YkVRFkgbeqeo68FhqG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe -
Pykspa family
-
UAC bypass 3 TTPs 28 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x01ad0000000221a8-4.dat family_pykspa behavioral1/files/0x0008000000024223-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 63 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" gmsghs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation vqloeevrjfbzcnauiqjez.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation vqloeevrjfbzcnauiqjez.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation vqloeevrjfbzcnauiqjez.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation vqloeevrjfbzcnauiqjez.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation vqloeevrjfbzcnauiqjez.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tmfgushbrlfbclwoagx.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation siywhcofsjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iassfcqjyrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation gauwlkavmhczblxqdkcw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation zqhgsobthzrlkraqa.exe -
Executes dropped EXE 64 IoCs
pid Process 5236 rfyzcmqobpi.exe 4640 zqhgsobthzrlkraqa.exe 4848 iassfcqjyrkffnxoze.exe 2884 rfyzcmqobpi.exe 4704 vqloeevrjfbzcnauiqjez.exe 5056 gauwlkavmhczblxqdkcw.exe 4984 zqhgsobthzrlkraqa.exe 5004 rfyzcmqobpi.exe 3292 siywhcofsjatrxfu.exe 4156 rfyzcmqobpi.exe 1928 iassfcqjyrkffnxoze.exe 3452 gauwlkavmhczblxqdkcw.exe 1596 rfyzcmqobpi.exe 3680 gmsghs.exe 4616 gmsghs.exe 944 gauwlkavmhczblxqdkcw.exe 3192 vqloeevrjfbzcnauiqjez.exe 4408 siywhcofsjatrxfu.exe 912 iassfcqjyrkffnxoze.exe 3104 rfyzcmqobpi.exe 960 rfyzcmqobpi.exe 224 vqloeevrjfbzcnauiqjez.exe 5048 siywhcofsjatrxfu.exe 5720 tmfgushbrlfbclwoagx.exe 4512 iassfcqjyrkffnxoze.exe 3636 zqhgsobthzrlkraqa.exe 4580 gauwlkavmhczblxqdkcw.exe 2840 tmfgushbrlfbclwoagx.exe 4720 rfyzcmqobpi.exe 4876 rfyzcmqobpi.exe 4624 rfyzcmqobpi.exe 5284 zqhgsobthzrlkraqa.exe 5336 tmfgushbrlfbclwoagx.exe 4008 gauwlkavmhczblxqdkcw.exe 2756 siywhcofsjatrxfu.exe 5460 iassfcqjyrkffnxoze.exe 5116 rfyzcmqobpi.exe 1092 rfyzcmqobpi.exe 4276 rfyzcmqobpi.exe 5984 iassfcqjyrkffnxoze.exe 2184 zqhgsobthzrlkraqa.exe 4332 rfyzcmqobpi.exe 1524 vqloeevrjfbzcnauiqjez.exe 5272 iassfcqjyrkffnxoze.exe 3548 iassfcqjyrkffnxoze.exe 5808 rfyzcmqobpi.exe 3088 gauwlkavmhczblxqdkcw.exe 1776 rfyzcmqobpi.exe 5696 siywhcofsjatrxfu.exe 4044 zqhgsobthzrlkraqa.exe 5848 rfyzcmqobpi.exe 2548 vqloeevrjfbzcnauiqjez.exe 1952 gauwlkavmhczblxqdkcw.exe 656 vqloeevrjfbzcnauiqjez.exe 2092 siywhcofsjatrxfu.exe 3456 iassfcqjyrkffnxoze.exe 6004 siywhcofsjatrxfu.exe 3428 rfyzcmqobpi.exe 5100 rfyzcmqobpi.exe 4892 rfyzcmqobpi.exe 4872 zqhgsobthzrlkraqa.exe 2708 vqloeevrjfbzcnauiqjez.exe 5384 tmfgushbrlfbclwoagx.exe 1588 siywhcofsjatrxfu.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc gmsghs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager gmsghs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys gmsghs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc gmsghs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power gmsghs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys gmsghs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "vqloeevrjfbzcnauiqjez.exe ." gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "tmfgushbrlfbclwoagx.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "vqloeevrjfbzcnauiqjez.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "iassfcqjyrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "tmfgushbrlfbclwoagx.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" gmsghs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe ." gmsghs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" gmsghs.exe -
Checks whether UAC is enabled 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gmsghs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gmsghs.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 www.showmyipaddress.com 26 www.whatismyip.ca 27 whatismyip.everdot.org 30 www.whatismyip.ca 34 www.whatismyip.ca 14 whatismyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wwwezeabyzadlbtslywwwe.eab gmsghs.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt gmsghs.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe gmsghs.exe File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe rfyzcmqobpi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab gmsghs.exe File created C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab gmsghs.exe File opened for modification C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt gmsghs.exe File created C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt gmsghs.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File created C:\Windows\wwwezeabyzadlbtslywwwe.eab gmsghs.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe gmsghs.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe gmsghs.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File created C:\Windows\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt gmsghs.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\siywhcofsjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe gmsghs.exe File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe rfyzcmqobpi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gmsghs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqhgsobthzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gauwlkavmhczblxqdkcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iassfcqjyrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siywhcofsjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmfgushbrlfbclwoagx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqloeevrjfbzcnauiqjez.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3680 gmsghs.exe 3680 gmsghs.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3680 gmsghs.exe 3680 gmsghs.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3680 gmsghs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 5236 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 88 PID 2276 wrote to memory of 5236 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 88 PID 2276 wrote to memory of 5236 2276 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 88 PID 1012 wrote to memory of 4640 1012 cmd.exe 91 PID 1012 wrote to memory of 4640 1012 cmd.exe 91 PID 1012 wrote to memory of 4640 1012 cmd.exe 91 PID 4756 wrote to memory of 4848 4756 cmd.exe 94 PID 4756 wrote to memory of 4848 4756 cmd.exe 94 PID 4756 wrote to memory of 4848 4756 cmd.exe 94 PID 4848 wrote to memory of 2884 4848 iassfcqjyrkffnxoze.exe 97 PID 4848 wrote to memory of 2884 4848 iassfcqjyrkffnxoze.exe 97 PID 4848 wrote to memory of 2884 4848 iassfcqjyrkffnxoze.exe 97 PID 4752 wrote to memory of 4704 4752 cmd.exe 100 PID 4752 wrote to memory of 4704 4752 cmd.exe 100 PID 4752 wrote to memory of 4704 4752 cmd.exe 100 PID 3420 wrote to memory of 5056 3420 cmd.exe 103 PID 3420 wrote to memory of 5056 3420 cmd.exe 103 PID 3420 wrote to memory of 5056 3420 cmd.exe 103 PID 864 wrote to memory of 4984 864 cmd.exe 106 PID 864 wrote to memory of 4984 864 cmd.exe 106 PID 864 wrote to memory of 4984 864 cmd.exe 106 PID 5056 wrote to memory of 5004 5056 gauwlkavmhczblxqdkcw.exe 107 PID 5056 wrote to memory of 5004 5056 gauwlkavmhczblxqdkcw.exe 107 PID 5056 wrote to memory of 5004 5056 gauwlkavmhczblxqdkcw.exe 107 PID 3068 wrote to memory of 3292 3068 cmd.exe 108 PID 3068 wrote to memory of 3292 3068 cmd.exe 108 PID 3068 wrote to memory of 3292 3068 cmd.exe 108 PID 3292 wrote to memory of 4156 3292 siywhcofsjatrxfu.exe 114 PID 3292 wrote to memory of 4156 3292 siywhcofsjatrxfu.exe 114 PID 3292 wrote to memory of 4156 3292 siywhcofsjatrxfu.exe 114 PID 2184 wrote to memory of 1928 2184 cmd.exe 113 PID 2184 wrote to memory of 1928 2184 cmd.exe 113 PID 2184 wrote to memory of 1928 2184 cmd.exe 113 PID 6096 wrote to memory of 3452 6096 cmd.exe 115 PID 6096 wrote to memory of 3452 6096 cmd.exe 115 PID 6096 wrote to memory of 3452 6096 cmd.exe 115 PID 3452 wrote to memory of 1596 3452 gauwlkavmhczblxqdkcw.exe 282 PID 3452 wrote to memory of 1596 3452 gauwlkavmhczblxqdkcw.exe 282 PID 3452 wrote to memory of 1596 3452 gauwlkavmhczblxqdkcw.exe 282 PID 5236 wrote to memory of 3680 5236 rfyzcmqobpi.exe 119 PID 5236 wrote to memory of 3680 5236 rfyzcmqobpi.exe 119 PID 5236 wrote to memory of 3680 5236 rfyzcmqobpi.exe 119 PID 5236 wrote to memory of 4616 5236 rfyzcmqobpi.exe 120 PID 5236 wrote to memory of 4616 5236 rfyzcmqobpi.exe 120 PID 5236 wrote to memory of 4616 5236 rfyzcmqobpi.exe 120 PID 5640 wrote to memory of 944 5640 cmd.exe 125 PID 5640 wrote to memory of 944 5640 cmd.exe 125 PID 5640 wrote to memory of 944 5640 cmd.exe 125 PID 4236 wrote to memory of 3192 4236 cmd.exe 127 PID 4236 wrote to memory of 3192 4236 cmd.exe 127 PID 4236 wrote to memory of 3192 4236 cmd.exe 127 PID 5864 wrote to memory of 4408 5864 cmd.exe 133 PID 5864 wrote to memory of 4408 5864 cmd.exe 133 PID 5864 wrote to memory of 4408 5864 cmd.exe 133 PID 1728 wrote to memory of 912 1728 cmd.exe 212 PID 1728 wrote to memory of 912 1728 cmd.exe 212 PID 1728 wrote to memory of 912 1728 cmd.exe 212 PID 4408 wrote to memory of 3104 4408 siywhcofsjatrxfu.exe 141 PID 4408 wrote to memory of 3104 4408 siywhcofsjatrxfu.exe 141 PID 4408 wrote to memory of 3104 4408 siywhcofsjatrxfu.exe 141 PID 912 wrote to memory of 960 912 iassfcqjyrkffnxoze.exe 148 PID 912 wrote to memory of 960 912 iassfcqjyrkffnxoze.exe 148 PID 912 wrote to memory of 960 912 iassfcqjyrkffnxoze.exe 148 PID 4092 wrote to memory of 224 4092 cmd.exe 153 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gmsghs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gmsghs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\gmsghs.exe"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\gmsghs.exe"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵
- Executes dropped EXE
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵
- Executes dropped EXE
PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Executes dropped EXE
PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5640 -
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5864 -
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:2540
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4464
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1612
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵
- Executes dropped EXE
PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Executes dropped EXE
PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵
- Executes dropped EXE
PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵
- Executes dropped EXE
PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:3420
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵
- Executes dropped EXE
PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:6108
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4584
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:2568
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵
- Executes dropped EXE
PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Executes dropped EXE
PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵
- Executes dropped EXE
PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Executes dropped EXE
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:3300
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:5544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:912
-
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:5036
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5236
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:3372
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Executes dropped EXE
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5720
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4548
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:3468
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵
- Executes dropped EXE
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:2348
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4712
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:3052
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵
- Executes dropped EXE
PID:1588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:2540
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵
- System Location Discovery: System Language Discovery
PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:2776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1092
-
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:4828
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:3312
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:2368
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:5248
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:3632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:4836
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:4776
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:728
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4580
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:5956
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:2200
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4436
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:4592
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4236
-
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:364
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:1180
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1136
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:1812
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:5196
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:1540
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:4844
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4528
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4884
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:5712
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:5656
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:4056
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:4308
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:1084
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:2184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5696
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:864 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:2056
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:5104
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:4828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:3264
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:944
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5660
-
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- Checks computer location settings
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:5444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:3320
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:5292
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4716
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:5028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5084
-
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- Checks computer location settings
PID:6056 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4648
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:6048
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:912
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:6092
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:4128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:1680
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:3192
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- Checks computer location settings
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:448
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4952
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:3712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4700
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:5184
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:5628
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4008
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5192
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:3804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:3748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:5884
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5256
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:1736
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:1648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:5280
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:5820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4492
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:448
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:3068
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5584
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:3512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵
- Checks computer location settings
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1068
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:5512
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4132
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:4428
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
PID:460 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:2768
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4008
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:3848
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:4924
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:4752
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1584
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵
- Checks computer location settings
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:1948
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:3548
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵
- Checks computer location settings
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:1008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:4848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:2164
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:6140
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:5460
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:6124
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:1612
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:3640
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:656
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:4348
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:3508
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:1500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3632
-
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:3296
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:1596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:3180
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4608
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:5640
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:5724
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:5884
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:4720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:3804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:4712
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:3388
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:3404
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:5296
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:4064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:3408
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:1908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4624
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1264
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:2576
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:4776
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:5788
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:3180
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:1368
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:752
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:5036
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:3088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1672
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4592
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:3256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5656
-
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5952
-
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:3936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:3448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6048
-
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:1212
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:4772
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:3876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1496
-
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:1028
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:5672
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:2188
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:432
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:112
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:5704
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:396
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:2428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4288
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:6104
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1212
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:3408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1732
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:4768
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe1⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:1828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:2272
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:4192
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:4256
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:2828
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:4744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:4724
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:4588
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3452
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:1876
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:3300
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4864
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:4584
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:1568
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:3408
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:3876
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:1328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:3668
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:6096
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4432
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:2632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4608
-
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4348
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:1372
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:3368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:3528
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:1580
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe1⤵PID:2024
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:3104
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5444
-
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:3968
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:3088
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:2272
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:2092
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:2660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:2440
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:5740
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:1264
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:1064
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:2284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:2172
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:4916
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:5632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1008
-
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:6104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3548
-
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:2116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6056
-
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:4848
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:4004
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:3936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:2828
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .2⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:1664
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .1⤵PID:4868
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe1⤵PID:3676
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .1⤵PID:4076
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe1⤵PID:1332
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe2⤵PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:3368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe1⤵PID:944
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .1⤵PID:3380
-
C:\Windows\vqloeevrjfbzcnauiqjez.exevqloeevrjfbzcnauiqjez.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5808
-
C:\Windows\siywhcofsjatrxfu.exesiywhcofsjatrxfu.exe .2⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:5296
-
C:\Windows\zqhgsobthzrlkraqa.exezqhgsobthzrlkraqa.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .1⤵PID:3300
-
C:\Windows\iassfcqjyrkffnxoze.exeiassfcqjyrkffnxoze.exe .2⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."3⤵PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe1⤵PID:4500
-
C:\Windows\tmfgushbrlfbclwoagx.exetmfgushbrlfbclwoagx.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exeC:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .1⤵PID:2240
-
C:\Windows\gauwlkavmhczblxqdkcw.exegauwlkavmhczblxqdkcw.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."3⤵PID:3744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .2⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exeC:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe2⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .1⤵PID:5384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5476
-
-
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exeC:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .1⤵PID:5036
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5ad201f27b46401479d6fde407e19b99c
SHA16bc1194b17c2e55ee0685b77f11bb98a5613f0bd
SHA2562afb7575872009213e00176ac8336f2bc7bf477fae721db844ea1a2be4705607
SHA51256781b62ae74b48fce2df966baab3584258800cb688cec6c9a050ce0f05ddb6d27d24378cce9a15f930495bbeed604d31eeb22e306473f3b6e6b7c285e592501
-
Filesize
280B
MD56f040ced56c17c267cad61e6ac39fe43
SHA133d39d3e68fa059f7933d2cdea2c254f84686bec
SHA256d0c3a78042fa468aac0bb0818db9396c04a086f76b60bed1b735f8f81161b633
SHA51270043e5f4839538d3802053517260ea83953a2080f824a916c33c74cb6a82d13dd66f45e32dd19b6b358015f6172416022e9e5240e107d8c974f735ff4be29a8
-
Filesize
280B
MD52cf33247a6b2808969c868c4463898f2
SHA10a4824caa2522289048418a5695d6113d86c1afd
SHA25661bf246f465ce91c493c2bac8f6c188a87829e104fe723533a52b914fcab4a6e
SHA5121d337f4f3392397bd8952593c45ebf3cc409a4401ef4e8136d205273d3d841e22ee6e16c0229721745d5c992af70ff5802a506f2aa773f72e1ea053911853581
-
Filesize
280B
MD552ec5fff929f0fbacacce4c2096a89bb
SHA1920941e8bac673c90ae57b18db1e034905a5dde1
SHA2564ea900d803614273eb18b74f87c5ea92e826edd76785048f8d52a2ea072df02a
SHA51206ab0ba2633b9aba800de043077f89498fdf92ef039a90f11c97dff4cfd71327496c2ff04408fc94a990e62d451ab828c18264c1c19eb547624de73aac072b6b
-
Filesize
280B
MD56fffdfaa059d06b5420dc6e64f58384a
SHA19bd94147b645d559e5dbfaea0db0696fd0c2320b
SHA2564eb7940c87dc0b4e5f584de17d6c6c35ae165bb9b942fcffafa2ce8059df7110
SHA512ec1e4746d4e74aa5f2b2fc23cd64bab4659669dea0bb0c17061179b709273aeac030dcfd353f412b388f3932a18d44b7dfe1a6d551ba3dc9e2e53f20940fc20a
-
Filesize
716KB
MD5a98d60dea3ed5563c16c113e2aeea939
SHA17a9e89bde295d813b5a5864ccdb9cc3217bd907b
SHA2562a3c0fb9746db654845545e663b3d6fdffa213a453d3696e9ac66aaf9ee843c5
SHA5127d5ac8bbf72ca0ddf3f03e272ba720d1f18e167e326097b8c6f7f23e628a0d5fc9c842610a4d97ddd474493cc73d3810722fcacc87d95ca21feb6ccacb7fc638
-
Filesize
320KB
MD55be990ef06295142609c061e763f94c5
SHA18e92649e057aedcae61933ddd382fdda697ea98a
SHA25643c235b417faab687bd120df0b67f120b2f22e8947846e02178185bf5abd5be5
SHA5126bd2141db8b654e0dddf2cb83638675febaeebc7f34164a345ab0fa245a98af7b718c485526518fdb36a0bb88e9b4ecaa97a9801f4b3a97422e5f34788785b95
-
Filesize
4KB
MD50c85e84de601cb71aa23ab7796318ef7
SHA1cecf915a9321dc4d3be6a85312ea85ff62bf2fad
SHA256a6288dc0b2a7d6982a8cd3b2fe24711d2fe6b12573c0dedee30c47583bbbd8ea
SHA512d16a109357e4c3b5cfead73fdb96ba09830c191c591341c966b76481a4864b73d9d60bb04290b7df1759714d4af71c3fe5859f789b23450ec7345cba83d19bb4
-
Filesize
280B
MD53a5c31bb6937870cf7038af00b6a0c8e
SHA10e2fd7823208dd7ac62364d051c62ebf089b48a6
SHA256250fa470da5ef2dced8667f5c9e5c4f945f0e9b0e5f80f3b1be08198b7491d3d
SHA51287716bcecd53a01a7c73438a4c7537bff412cf0f8f509b7d2b6dbb9fe3fad2677af4625d32cfca67cb43229652e8af7afe649cae728fa010a0287ea7db83f7f8
-
Filesize
280B
MD50db6c08d3b976455b3b1d64aa27cd8f4
SHA161642662e6335bd8c81f46d28fe51b07b3a14146
SHA256a3cf444551b4900d890bae92c528e9a5b4b5b25477cdfbebdec730c882908808
SHA51230953a0720397909ccd43962a839bf081671572df13532941a39cd65c5e682b1e04f6aba27b505ec3114f4c12a6eefc542d015c0faf518fde3cc2143bd5cc9e9
-
Filesize
492KB
MD5bdec6237d2f7f80e1250e09df51e3d02
SHA173bbd2918a981f181299342a44b8afc0e0923f7d
SHA256a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
SHA512e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b