Analysis
-
max time kernel
54s -
max time network
158s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/04/2025, 03:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe
-
Size
832KB
-
MD5
c45c7c3be165367d7676c127dbdc2050
-
SHA1
0ca4bbd08beb9ce9e8bd6807113345389aa07588
-
SHA256
7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
-
SHA512
d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3
-
SSDEEP
12288:0gkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUYJPfZQ:qxsKXa+hHyWseBgzm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncdejpoqxm.exe -
Pykspa family
-
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gncdejpoqxm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000b00000002ac46-4.dat family_pykspa behavioral2/files/0x001900000002b12f-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncdejpoqxm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncdejpoqxm.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe -
Executes dropped EXE 64 IoCs
pid Process 4348 gncdejpoqxm.exe 4764 yofwfvsjsjpbvbhr.exe 3152 fwogqhfxhzgtovcnz.exe 4772 gncdejpoqxm.exe 2364 bwsocxzvjfqhgrcrhqpkg.exe 2320 ogzsdvunyrznjrzlye.exe 4940 gncdejpoqxm.exe 5648 mgbwjdezmhrhfpznckic.exe 2016 yofwfvsjsjpbvbhr.exe 3024 gncdejpoqxm.exe 340 fwogqhfxhzgtovcnz.exe 5584 mgbwjdezmhrhfpznckic.exe 1676 gncdejpoqxm.exe 4104 bgmsq.exe 1936 bgmsq.exe 4804 yofwfvsjsjpbvbhr.exe 4776 fwogqhfxhzgtovcnz.exe 5020 bwsocxzvjfqhgrcrhqpkg.exe 572 ogzsdvunyrznjrzlye.exe 5428 gncdejpoqxm.exe 3500 gncdejpoqxm.exe 3104 ogzsdvunyrznjrzlye.exe 3432 mgbwjdezmhrhfpznckic.exe 1508 ogzsdvunyrznjrzlye.exe 1532 mgbwjdezmhrhfpznckic.exe 6040 gncdejpoqxm.exe 6068 ogzsdvunyrznjrzlye.exe 5468 ogzsdvunyrznjrzlye.exe 5476 bwsocxzvjfqhgrcrhqpkg.exe 3140 zsmgsllfrlujgpylzgd.exe 2564 gncdejpoqxm.exe 4164 gncdejpoqxm.exe 3412 gncdejpoqxm.exe 5440 ogzsdvunyrznjrzlye.exe 4284 ogzsdvunyrznjrzlye.exe 3624 zsmgsllfrlujgpylzgd.exe 8 zsmgsllfrlujgpylzgd.exe 5024 gncdejpoqxm.exe 2532 gncdejpoqxm.exe 1680 bwsocxzvjfqhgrcrhqpkg.exe 3576 mgbwjdezmhrhfpznckic.exe 5544 gncdejpoqxm.exe 5508 zsmgsllfrlujgpylzgd.exe 3444 mgbwjdezmhrhfpznckic.exe 2888 mgbwjdezmhrhfpznckic.exe 2356 gncdejpoqxm.exe 5896 bwsocxzvjfqhgrcrhqpkg.exe 2736 gncdejpoqxm.exe 5584 yofwfvsjsjpbvbhr.exe 5968 ogzsdvunyrznjrzlye.exe 1972 gncdejpoqxm.exe 4072 bwsocxzvjfqhgrcrhqpkg.exe 5188 bwsocxzvjfqhgrcrhqpkg.exe 4776 gncdejpoqxm.exe 3588 zsmgsllfrlujgpylzgd.exe 2700 mgbwjdezmhrhfpznckic.exe 4324 mgbwjdezmhrhfpznckic.exe 4608 yofwfvsjsjpbvbhr.exe 2192 fwogqhfxhzgtovcnz.exe 2388 gncdejpoqxm.exe 3708 zsmgsllfrlujgpylzgd.exe 1980 zsmgsllfrlujgpylzgd.exe 1868 gncdejpoqxm.exe 4856 fwogqhfxhzgtovcnz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bgmsq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bgmsq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bgmsq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bgmsq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bgmsq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bgmsq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "bwsocxzvjfqhgrcrhqpkg.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "fwogqhfxhzgtovcnz.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "bwsocxzvjfqhgrcrhqpkg.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "mgbwjdezmhrhfpznckic.exe" bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "fwogqhfxhzgtovcnz.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "zsmgsllfrlujgpylzgd.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" gncdejpoqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" bgmsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." gncdejpoqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." bgmsq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." bgmsq.exe -
Checks whether UAC is enabled 1 TTPs 54 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bgmsq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bgmsq.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.whatismyip.ca 3 whatismyip.everdot.org 3 whatismyipaddress.com 1 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf bgmsq.exe File created F:\autorun.inf bgmsq.exe File opened for modification C:\autorun.inf bgmsq.exe File created C:\autorun.inf bgmsq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe bgmsq.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File created C:\Windows\SysWOW64\gilojluxsvnlrjbxukqsvytv.hcf bgmsq.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe bgmsq.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File created C:\Windows\SysWOW64\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq bgmsq.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe bgmsq.exe File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf bgmsq.exe File created C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf bgmsq.exe File opened for modification C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq bgmsq.exe File created C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq bgmsq.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe bgmsq.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe bgmsq.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe bgmsq.exe File created C:\Windows\gilojluxsvnlrjbxukqsvytv.hcf bgmsq.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe bgmsq.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe bgmsq.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe bgmsq.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe bgmsq.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe bgmsq.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe gncdejpoqxm.exe File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe gncdejpoqxm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zsmgsllfrlujgpylzgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofwfvsjsjpbvbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwsocxzvjfqhgrcrhqpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogzsdvunyrznjrzlye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gncdejpoqxm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgbwjdezmhrhfpznckic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fwogqhfxhzgtovcnz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 4104 bgmsq.exe 4104 bgmsq.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 4104 bgmsq.exe 4104 bgmsq.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4104 bgmsq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4348 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 84 PID 3148 wrote to memory of 4348 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 84 PID 3148 wrote to memory of 4348 3148 JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe 84 PID 2956 wrote to memory of 4764 2956 cmd.exe 87 PID 2956 wrote to memory of 4764 2956 cmd.exe 87 PID 2956 wrote to memory of 4764 2956 cmd.exe 87 PID 5676 wrote to memory of 3152 5676 cmd.exe 90 PID 5676 wrote to memory of 3152 5676 cmd.exe 90 PID 5676 wrote to memory of 3152 5676 cmd.exe 90 PID 3152 wrote to memory of 4772 3152 fwogqhfxhzgtovcnz.exe 91 PID 3152 wrote to memory of 4772 3152 fwogqhfxhzgtovcnz.exe 91 PID 3152 wrote to memory of 4772 3152 fwogqhfxhzgtovcnz.exe 91 PID 5772 wrote to memory of 2364 5772 cmd.exe 94 PID 5772 wrote to memory of 2364 5772 cmd.exe 94 PID 5772 wrote to memory of 2364 5772 cmd.exe 94 PID 3656 wrote to memory of 2320 3656 cmd.exe 97 PID 3656 wrote to memory of 2320 3656 cmd.exe 97 PID 3656 wrote to memory of 2320 3656 cmd.exe 97 PID 2320 wrote to memory of 4940 2320 ogzsdvunyrznjrzlye.exe 280 PID 2320 wrote to memory of 4940 2320 ogzsdvunyrznjrzlye.exe 280 PID 2320 wrote to memory of 4940 2320 ogzsdvunyrznjrzlye.exe 280 PID 3444 wrote to memory of 5648 3444 cmd.exe 287 PID 3444 wrote to memory of 5648 3444 cmd.exe 287 PID 3444 wrote to memory of 5648 3444 cmd.exe 287 PID 5416 wrote to memory of 2016 5416 cmd.exe 104 PID 5416 wrote to memory of 2016 5416 cmd.exe 104 PID 5416 wrote to memory of 2016 5416 cmd.exe 104 PID 2016 wrote to memory of 3024 2016 yofwfvsjsjpbvbhr.exe 105 PID 2016 wrote to memory of 3024 2016 yofwfvsjsjpbvbhr.exe 105 PID 2016 wrote to memory of 3024 2016 yofwfvsjsjpbvbhr.exe 105 PID 4152 wrote to memory of 340 4152 cmd.exe 108 PID 4152 wrote to memory of 340 4152 cmd.exe 108 PID 4152 wrote to memory of 340 4152 cmd.exe 108 PID 712 wrote to memory of 5584 712 cmd.exe 194 PID 712 wrote to memory of 5584 712 cmd.exe 194 PID 712 wrote to memory of 5584 712 cmd.exe 194 PID 5584 wrote to memory of 1676 5584 mgbwjdezmhrhfpznckic.exe 112 PID 5584 wrote to memory of 1676 5584 mgbwjdezmhrhfpznckic.exe 112 PID 5584 wrote to memory of 1676 5584 mgbwjdezmhrhfpznckic.exe 112 PID 4348 wrote to memory of 4104 4348 gncdejpoqxm.exe 113 PID 4348 wrote to memory of 4104 4348 gncdejpoqxm.exe 113 PID 4348 wrote to memory of 4104 4348 gncdejpoqxm.exe 113 PID 4348 wrote to memory of 1936 4348 gncdejpoqxm.exe 114 PID 4348 wrote to memory of 1936 4348 gncdejpoqxm.exe 114 PID 4348 wrote to memory of 1936 4348 gncdejpoqxm.exe 114 PID 5876 wrote to memory of 4804 5876 cmd.exe 119 PID 5876 wrote to memory of 4804 5876 cmd.exe 119 PID 5876 wrote to memory of 4804 5876 cmd.exe 119 PID 5212 wrote to memory of 4776 5212 cmd.exe 205 PID 5212 wrote to memory of 4776 5212 cmd.exe 205 PID 5212 wrote to memory of 4776 5212 cmd.exe 205 PID 2960 wrote to memory of 5020 2960 cmd.exe 125 PID 2960 wrote to memory of 5020 2960 cmd.exe 125 PID 2960 wrote to memory of 5020 2960 cmd.exe 125 PID 4280 wrote to memory of 572 4280 cmd.exe 126 PID 4280 wrote to memory of 572 4280 cmd.exe 126 PID 4280 wrote to memory of 572 4280 cmd.exe 126 PID 5020 wrote to memory of 5428 5020 bwsocxzvjfqhgrcrhqpkg.exe 312 PID 5020 wrote to memory of 5428 5020 bwsocxzvjfqhgrcrhqpkg.exe 312 PID 5020 wrote to memory of 5428 5020 bwsocxzvjfqhgrcrhqpkg.exe 312 PID 572 wrote to memory of 3500 572 ogzsdvunyrznjrzlye.exe 317 PID 572 wrote to memory of 3500 572 ogzsdvunyrznjrzlye.exe 317 PID 572 wrote to memory of 3500 572 ogzsdvunyrznjrzlye.exe 317 PID 4264 wrote to memory of 3104 4264 cmd.exe 138 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bgmsq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gncdejpoqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gncdejpoqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bgmsq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncdejpoqxm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c45c7c3be165367d7676c127dbdc2050.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\bgmsq.exe"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\bgmsq.exe"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5676 -
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵
- Executes dropped EXE
PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵
- Executes dropped EXE
PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵
- Executes dropped EXE
PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Executes dropped EXE
PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5212 -
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵
- Executes dropped EXE
PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Executes dropped EXE
PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵
- Executes dropped EXE
PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵
- Executes dropped EXE
PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:5364
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:6108
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵
- Executes dropped EXE
PID:2564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:5660
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵
- Executes dropped EXE
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵
- Executes dropped EXE
PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵
- Executes dropped EXE
PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- Executes dropped EXE
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Executes dropped EXE
PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵
- Executes dropped EXE
PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵
- Executes dropped EXE
PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:4396
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:1956
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵
- Executes dropped EXE
PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:2540
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵
- Executes dropped EXE
PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4604
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵
- Executes dropped EXE
PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- Executes dropped EXE
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Executes dropped EXE
PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵
- Executes dropped EXE
PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5452
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵
- Executes dropped EXE
PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:5460
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- Executes dropped EXE
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Executes dropped EXE
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:4296
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:3288
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:4732
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵
- Executes dropped EXE
PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:3312
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵
- Executes dropped EXE
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵
- Executes dropped EXE
PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:4144
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:4836
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵
- Executes dropped EXE
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:2044
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:2288
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:5556
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:1900
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:4940
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:2024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5648
-
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:236
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:1104
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:4732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5428
-
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:5848
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:6104
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:5812
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:4580
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:3340
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:5596
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:3636
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:5628
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:4812
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:1440
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4056
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:2672
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:4640
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:2516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:572
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:2460
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:5084
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:3280
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:4952
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:408
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:2320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3576
-
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:4396
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:3428
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5692
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:2012
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:5896
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:5604
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4092
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:1588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5128
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:2208
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4128
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:4556
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:4020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:1980
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:5300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4856
-
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:3492
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:492 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:2316
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:408
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:1952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:4964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5456
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:3508
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:2580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1680
-
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:4792
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:5288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:2956
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4164
-
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2608
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:4140
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5480
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:4732
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:3640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4692
-
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:3624
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:1068
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:3944
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:5396
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:1784
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2580
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:3296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:1128
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:1512
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5360
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:3160
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:5592
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:4292
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:5864
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4972
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:5388
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:3100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:4836
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:4556
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:5540
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:1460
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:2364
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:1084
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4192
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:340 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:5280
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5656
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:944
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:240
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:3588
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:2316
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:4760
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:4428
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4764
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:1892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2356
-
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5832
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5924
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5948
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:3652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:128
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:3936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:3756
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5792
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:1116
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:4608
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:5784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:5276
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5996
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:5608
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5596
-
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:3060
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:6060
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:5096
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:3672
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:932
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:4772
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:3048
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:1868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:5368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:3964
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:3736
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:3488
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:1584
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:5300
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:3560
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:2936
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:2452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:3568
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:1236
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:5640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:5200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:5252
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:6128
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:2788
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:1104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3048
-
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2516
-
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:5280
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:236
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5812
-
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:1900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3488
-
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:6000
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:3556
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:3988
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:4796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:5468
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:2104
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:4720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5388
-
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:408
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:4952
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:3316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:4636
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:3936
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:1352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:5788
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:1636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:3964
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:944
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:4860
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .1⤵PID:5400
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:5808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3560
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe1⤵PID:3988
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5824
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:2400
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:4780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4904
-
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:1120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5476
-
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:3412
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:1192
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:2432
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:648
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:5676
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:1760
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:4624
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:4952
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:6132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3280
-
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:4172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .1⤵PID:1684
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:2672
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:572
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:2712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5996
-
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:5096
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:5936
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:4584
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2144
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .1⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:4084
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5624
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:6136
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .1⤵PID:4556
-
C:\Windows\ogzsdvunyrznjrzlye.exeogzsdvunyrznjrzlye.exe .2⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exeC:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:5344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:1248
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:2224
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe1⤵PID:4612
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .1⤵PID:2216
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe .2⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."3⤵PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exeC:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:5100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1880
-
-
C:\Windows\yofwfvsjsjpbvbhr.exeyofwfvsjsjpbvbhr.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5884
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe1⤵PID:3632
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5276
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .1⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .2⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe1⤵PID:2152
-
C:\Windows\zsmgsllfrlujgpylzgd.exezsmgsllfrlujgpylzgd.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .1⤵PID:5708
-
C:\Windows\fwogqhfxhzgtovcnz.exefwogqhfxhzgtovcnz.exe .2⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe1⤵PID:2808
-
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exebwsocxzvjfqhgrcrhqpkg.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .1⤵PID:3564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4540
-
-
C:\Windows\mgbwjdezmhrhfpznckic.exemgbwjdezmhrhfpznckic.exe .2⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exeC:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe2⤵PID:1620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exeC:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .2⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe1⤵PID:4140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exeC:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exeC:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .2⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe1⤵PID:5676
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD50239a0f4222162b5abf7c3d129f70d4c
SHA1ae73d691609b2f1d592d64835f89ffa379d7045f
SHA256f5b6958571480df1eb2c0805d03d116ba0dc466dda10f72e0d07cd1e63f5ffa9
SHA512262eb7561df1e0ca27ae5c0564ac700d01e0af955968b1fbdd8b95e7f842e3f7999c059843fa2109315590c50f8a0801353c2d52899d9499a1b0c318c7dfb166
-
Filesize
272B
MD53a70d23c58a5dafad65772cb10e8a304
SHA16c048c19fad3d1460b96febf3038f955fb26699b
SHA25639a9d888c225995ce687f00cf58bf2353fb68d4841b11f7bbdbda455c2be0e22
SHA5123df13f508751e3cf0a8371338dc52bb1fb1525e6a9a6cc79709fe7aebb66000f1d0b9351a4d1b07c8fc5c4043a16c516196f45a785d444b59d1c14f39e73dd07
-
Filesize
272B
MD5ba3d7f8ee3c82a13a67ab55a75e591b5
SHA141513507db2af6f132e09bb8b9b6f2cc06f98e41
SHA25630d60c058d395d11cef3c2e29335ba980a212f91f6ae6f8a11b4f21f61905872
SHA5120d9e0222694aea8e60226210f149406b2045f019eb8b2a01ac8f26a3941f77a7df3beed533c0481116d605901db032a7e0b935341423486ecd761a4a3b5b7feb
-
Filesize
272B
MD50abad651bdca5f3c325c74e86f969747
SHA191ace5566978db16ae1aca8437848fe3a84ced3a
SHA256132703b05e0d6a083b44f0d384179e22a0cabe946d96dbd7698c7cb7de0d3762
SHA512d94dcd68551ac7fe8f642b18abde0c5e88f02d4fcb4d22487139612c640699ab55f6dec0281815bb99c848ccfae78109b5c7fed1580d062b552c228f3aa5f454
-
Filesize
272B
MD584bcf59b800466b46f654cd46931e73a
SHA118df896842f60e84f2d0baeb406c4489ef6b767a
SHA2560b19af35d337302f1acfac58e622773430ccdeb7b9c900dd3e9b7a8b2e333e24
SHA512542fbc493bc7e4dd1aadf6300eb2badd3a7e63ce97415568b28cdd53c8d4dfaf353e8f2db3c5d62fe1c582b3ef9693d7af28d9d750b89442d0153ad14ed6a3a3
-
Filesize
704KB
MD59b1be8accec33c5b7beb6711c76dfae2
SHA15312f362bc5881f433ade4527ebdbb57259d35bd
SHA25643a4724768897e3163dbfa6f7479bb2db6b294b66d050be0aff2e8dc09ce4715
SHA5122dae7b343b86c41b598d8adb1d598f9e6289c37b7c0d52616cbfed7144ac99500f5bf9adbd34b9a5d2e15c57255d09e7acbfa9ca292387685ef3a71278408055
-
Filesize
320KB
MD51dd5dd5561723f37ccc81e15ecdbf830
SHA1eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5
-
Filesize
272B
MD57b8e0bf33294d53b402c9fde89252477
SHA1e5e2d5e66d3b7832277c60df533b9c34de1c4a5e
SHA2561cd2d5d3526b4ed79a866275e29d67aa2bd57a37dc695350df6317f46d762958
SHA51238f764525ef57e31cbbdbeca28081853313a2daf35fffb771d23da9886ba772f42b86c15fc6d763e9602de98704511b246dd6673f127d54c4ed4ba8bb3ad41f1
-
Filesize
3KB
MD5897cf0c69c02e6ea109606327103bac8
SHA109edd7dc7d8665ede0698ec2dc178e59ffce5d3d
SHA2561c4ea4eb92a0c81da6e079f19eba812ff16422cf53f0fc0605212e426cae1718
SHA5124d7a06c8d51842522be673457d02588311614b61be6498b047d125e4544a5963ec49825df78b3ddb7cd5b4b0a1e30fd97a7c9cc537f8fc37c34e313a0c687aba
-
Filesize
832KB
MD5c45c7c3be165367d7676c127dbdc2050
SHA10ca4bbd08beb9ce9e8bd6807113345389aa07588
SHA2567be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
SHA512d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3