Analysis
-
max time kernel
50s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
-
Size
480KB
-
MD5
c7e5d9b24e40b9b5909256350f70b10b
-
SHA1
fb9d569e524b0cbe1f4a4a600ada58f687a7aee4
-
SHA256
2e7aa86c211bcba2701f0d5acd491714bcbaf5f5cd6e930bc9795fdfb2a7f859
-
SHA512
2cb935a8f5f1bc4fafbcd7de1bd3dabe65e31a2f3f860dcfbc65aad89242841e59fc6fffec922f20f4c983723329503060b00e4e7152873730c7de41b93a17ea
-
SSDEEP
6144:v8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUl:UnRy+ZyYpaCDJFuPyAHcqrU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmnxryrfmw.exe -
Pykspa family
-
UAC bypass 3 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0008000000024268-4.dat family_pykspa behavioral1/files/0x000700000002427f-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "umlyvpjermjyqzrtijy.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "haaomhcymigwpzsvlndw.exe" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "wqrgfbxujgfwqbvzqtkef.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "aqnytldwhaviyfvvi.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "jaykgzsmysoctbsthh.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uanozhp = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmnxryrfmw.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Set value (int) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmnxryrfmw.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation vcmnxryrfmw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation umlyvpjermjyqzrtijy.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation haaomhcymigwpzsvlndw.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation jaykgzsmysoctbsthh.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation wqrgfbxujgfwqbvzqtkef.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation aqnytldwhaviyfvvi.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation tieoizqiskeqflaz.exe -
Executes dropped EXE 64 IoCs
pid Process 4184 vcmnxryrfmw.exe 2472 jaykgzsmysoctbsthh.exe 4660 wqrgfbxujgfwqbvzqtkef.exe 4712 vcmnxryrfmw.exe 4756 aqnytldwhaviyfvvi.exe 5884 wqrgfbxujgfwqbvzqtkef.exe 4820 jaykgzsmysoctbsthh.exe 4964 vcmnxryrfmw.exe 4960 wqrgfbxujgfwqbvzqtkef.exe 5060 vcmnxryrfmw.exe 3360 tieoizqiskeqflaz.exe 3120 tieoizqiskeqflaz.exe 5436 vcmnxryrfmw.exe 3424 hmyyip.exe 1416 hmyyip.exe 1876 jaykgzsmysoctbsthh.exe 848 wqrgfbxujgfwqbvzqtkef.exe 3536 tieoizqiskeqflaz.exe 2092 jaykgzsmysoctbsthh.exe 4092 vcmnxryrfmw.exe 1032 vcmnxryrfmw.exe 2160 jaykgzsmysoctbsthh.exe 4076 jaykgzsmysoctbsthh.exe 4216 jaykgzsmysoctbsthh.exe 5200 jaykgzsmysoctbsthh.exe 2720 haaomhcymigwpzsvlndw.exe 5984 haaomhcymigwpzsvlndw.exe 5584 aqnytldwhaviyfvvi.exe 5652 tieoizqiskeqflaz.exe 4828 vcmnxryrfmw.exe 4852 vcmnxryrfmw.exe 4920 vcmnxryrfmw.exe 3704 vcmnxryrfmw.exe 4992 wqrgfbxujgfwqbvzqtkef.exe 5812 umlyvpjermjyqzrtijy.exe 2252 jaykgzsmysoctbsthh.exe 5076 umlyvpjermjyqzrtijy.exe 3196 vcmnxryrfmw.exe 2600 vcmnxryrfmw.exe 5436 haaomhcymigwpzsvlndw.exe 1716 haaomhcymigwpzsvlndw.exe 3180 vcmnxryrfmw.exe 4936 aqnytldwhaviyfvvi.exe 2676 aqnytldwhaviyfvvi.exe 848 jaykgzsmysoctbsthh.exe 4136 vcmnxryrfmw.exe 460 umlyvpjermjyqzrtijy.exe 5840 vcmnxryrfmw.exe 5288 aqnytldwhaviyfvvi.exe 1844 tieoizqiskeqflaz.exe 3584 vcmnxryrfmw.exe 3532 umlyvpjermjyqzrtijy.exe 4076 tieoizqiskeqflaz.exe 2876 aqnytldwhaviyfvvi.exe 3044 wqrgfbxujgfwqbvzqtkef.exe 4428 aqnytldwhaviyfvvi.exe 4900 vcmnxryrfmw.exe 3516 vcmnxryrfmw.exe 364 wqrgfbxujgfwqbvzqtkef.exe 2196 umlyvpjermjyqzrtijy.exe 3064 umlyvpjermjyqzrtijy.exe 2252 wqrgfbxujgfwqbvzqtkef.exe 5028 umlyvpjermjyqzrtijy.exe 5596 tieoizqiskeqflaz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys hmyyip.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc hmyyip.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager hmyyip.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys hmyyip.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc hmyyip.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power hmyyip.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "aqnytldwhaviyfvvi.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "umlyvpjermjyqzrtijy.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "aqnytldwhaviyfvvi.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "aqnytldwhaviyfvvi.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe ." hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "umlyvpjermjyqzrtijy.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "jaykgzsmysoctbsthh.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "haaomhcymigwpzsvlndw.exe ." hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "umlyvpjermjyqzrtijy.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "tieoizqiskeqflaz.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "aqnytldwhaviyfvvi.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "aqnytldwhaviyfvvi.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe ." hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "jaykgzsmysoctbsthh.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaykgzsmysoctbsthh.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\walkt = "wqrgfbxujgfwqbvzqtkef.exe" hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "jaykgzsmysoctbsthh.exe" hmyyip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oypujvhuzmb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlyvpjermjyqzrtijy.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "umlyvpjermjyqzrtijy.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aixanxhsv = "tieoizqiskeqflaz.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\walkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrgfbxujgfwqbvzqtkef.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcswkvgswi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haaomhcymigwpzsvlndw.exe ." vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "wqrgfbxujgfwqbvzqtkef.exe" hmyyip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqegsbku = "haaomhcymigwpzsvlndw.exe" vcmnxryrfmw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hmyyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnytldwhaviyfvvi.exe ." vcmnxryrfmw.exe -
Checks whether UAC is enabled 1 TTPs 46 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hmyyip.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 www.whatismyip.ca 27 whatismyip.everdot.org 30 www.whatismyip.ca 31 whatismyip.everdot.org 35 www.whatismyip.ca 13 whatismyipaddress.com 16 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe hmyyip.exe File created C:\Windows\SysWOW64\xwcwabceyaeazpoxtbxwcw.bce hmyyip.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\oypujvhuzmbistdxexeofkzlxkpcryijt.unu hmyyip.exe File opened for modification C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\jaykgzsmysoctbsthh.exe hmyyip.exe File created C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe hmyyip.exe File opened for modification C:\Windows\SysWOW64\oypujvhuzmbistdxexeofkzlxkpcryijt.unu hmyyip.exe File opened for modification C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\tieoizqiskeqflaz.exe hmyyip.exe File opened for modification C:\Windows\SysWOW64\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\SysWOW64\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\SysWOW64\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\xwcwabceyaeazpoxtbxwcw.bce hmyyip.exe File created C:\Program Files (x86)\xwcwabceyaeazpoxtbxwcw.bce hmyyip.exe File opened for modification C:\Program Files (x86)\oypujvhuzmbistdxexeofkzlxkpcryijt.unu hmyyip.exe File created C:\Program Files (x86)\oypujvhuzmbistdxexeofkzlxkpcryijt.unu hmyyip.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File created C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe hmyyip.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File created C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File created C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe hmyyip.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe hmyyip.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\umlyvpjermjyqzrtijy.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\wqrgfbxujgfwqbvzqtkef.exe hmyyip.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\aqnytldwhaviyfvvi.exe vcmnxryrfmw.exe File opened for modification C:\Windows\tieoizqiskeqflaz.exe vcmnxryrfmw.exe File created C:\Windows\jaykgzsmysoctbsthh.exe vcmnxryrfmw.exe File opened for modification C:\Windows\haaomhcymigwpzsvlndw.exe vcmnxryrfmw.exe File opened for modification C:\Windows\nikaaxusiggytfafxbtoqg.exe vcmnxryrfmw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hmyyip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haaomhcymigwpzsvlndw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jaykgzsmysoctbsthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrgfbxujgfwqbvzqtkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcmnxryrfmw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieoizqiskeqflaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnytldwhaviyfvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlyvpjermjyqzrtijy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 3424 hmyyip.exe 3424 hmyyip.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 3424 hmyyip.exe 3424 hmyyip.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3424 hmyyip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 4184 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 89 PID 2488 wrote to memory of 4184 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 89 PID 2488 wrote to memory of 4184 2488 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 89 PID 2920 wrote to memory of 2472 2920 cmd.exe 92 PID 2920 wrote to memory of 2472 2920 cmd.exe 92 PID 2920 wrote to memory of 2472 2920 cmd.exe 92 PID 1752 wrote to memory of 4660 1752 cmd.exe 95 PID 1752 wrote to memory of 4660 1752 cmd.exe 95 PID 1752 wrote to memory of 4660 1752 cmd.exe 95 PID 4660 wrote to memory of 4712 4660 wqrgfbxujgfwqbvzqtkef.exe 98 PID 4660 wrote to memory of 4712 4660 wqrgfbxujgfwqbvzqtkef.exe 98 PID 4660 wrote to memory of 4712 4660 wqrgfbxujgfwqbvzqtkef.exe 98 PID 4728 wrote to memory of 4756 4728 cmd.exe 101 PID 4728 wrote to memory of 4756 4728 cmd.exe 101 PID 4728 wrote to memory of 4756 4728 cmd.exe 101 PID 5020 wrote to memory of 5884 5020 cmd.exe 104 PID 5020 wrote to memory of 5884 5020 cmd.exe 104 PID 5020 wrote to memory of 5884 5020 cmd.exe 104 PID 424 wrote to memory of 4820 424 cmd.exe 107 PID 424 wrote to memory of 4820 424 cmd.exe 107 PID 424 wrote to memory of 4820 424 cmd.exe 107 PID 5884 wrote to memory of 4964 5884 wqrgfbxujgfwqbvzqtkef.exe 108 PID 5884 wrote to memory of 4964 5884 wqrgfbxujgfwqbvzqtkef.exe 108 PID 5884 wrote to memory of 4964 5884 wqrgfbxujgfwqbvzqtkef.exe 108 PID 5880 wrote to memory of 4960 5880 cmd.exe 109 PID 5880 wrote to memory of 4960 5880 cmd.exe 109 PID 5880 wrote to memory of 4960 5880 cmd.exe 109 PID 4960 wrote to memory of 5060 4960 wqrgfbxujgfwqbvzqtkef.exe 110 PID 4960 wrote to memory of 5060 4960 wqrgfbxujgfwqbvzqtkef.exe 110 PID 4960 wrote to memory of 5060 4960 wqrgfbxujgfwqbvzqtkef.exe 110 PID 3392 wrote to memory of 3360 3392 cmd.exe 117 PID 3392 wrote to memory of 3360 3392 cmd.exe 117 PID 3392 wrote to memory of 3360 3392 cmd.exe 117 PID 984 wrote to memory of 3120 984 cmd.exe 118 PID 984 wrote to memory of 3120 984 cmd.exe 118 PID 984 wrote to memory of 3120 984 cmd.exe 118 PID 3120 wrote to memory of 5436 3120 tieoizqiskeqflaz.exe 182 PID 3120 wrote to memory of 5436 3120 tieoizqiskeqflaz.exe 182 PID 3120 wrote to memory of 5436 3120 tieoizqiskeqflaz.exe 182 PID 4184 wrote to memory of 3424 4184 vcmnxryrfmw.exe 120 PID 4184 wrote to memory of 3424 4184 vcmnxryrfmw.exe 120 PID 4184 wrote to memory of 3424 4184 vcmnxryrfmw.exe 120 PID 4184 wrote to memory of 1416 4184 vcmnxryrfmw.exe 122 PID 4184 wrote to memory of 1416 4184 vcmnxryrfmw.exe 122 PID 4184 wrote to memory of 1416 4184 vcmnxryrfmw.exe 122 PID 460 wrote to memory of 1876 460 cmd.exe 128 PID 460 wrote to memory of 1876 460 cmd.exe 128 PID 460 wrote to memory of 1876 460 cmd.exe 128 PID 1668 wrote to memory of 848 1668 cmd.exe 197 PID 1668 wrote to memory of 848 1668 cmd.exe 197 PID 1668 wrote to memory of 848 1668 cmd.exe 197 PID 5720 wrote to memory of 3536 5720 cmd.exe 134 PID 5720 wrote to memory of 3536 5720 cmd.exe 134 PID 5720 wrote to memory of 3536 5720 cmd.exe 134 PID 1244 wrote to memory of 2092 1244 cmd.exe 135 PID 1244 wrote to memory of 2092 1244 cmd.exe 135 PID 1244 wrote to memory of 2092 1244 cmd.exe 135 PID 2092 wrote to memory of 4092 2092 jaykgzsmysoctbsthh.exe 296 PID 2092 wrote to memory of 4092 2092 jaykgzsmysoctbsthh.exe 296 PID 2092 wrote to memory of 4092 2092 jaykgzsmysoctbsthh.exe 296 PID 3536 wrote to memory of 1032 3536 tieoizqiskeqflaz.exe 302 PID 3536 wrote to memory of 1032 3536 tieoizqiskeqflaz.exe 302 PID 3536 wrote to memory of 1032 3536 tieoizqiskeqflaz.exe 302 PID 3700 wrote to memory of 2160 3700 cmd.exe 150 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hmyyip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmnxryrfmw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hmyyip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmnxryrfmw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hmyyip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\hmyyip.exe"C:\Users\Admin\AppData\Local\Temp\hmyyip.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\hmyyip.exe"C:\Users\Admin\AppData\Local\Temp\hmyyip.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Executes dropped EXE
PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Executes dropped EXE
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Executes dropped EXE
PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵
- Executes dropped EXE
PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵
- Executes dropped EXE
PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5720 -
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵
- Executes dropped EXE
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵
- Executes dropped EXE
PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2364
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:3612
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵
- Executes dropped EXE
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:3084
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵
- Executes dropped EXE
PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵
- Executes dropped EXE
PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵
- Executes dropped EXE
PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵
- Executes dropped EXE
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵
- Executes dropped EXE
PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Executes dropped EXE
PID:5812 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵
- Executes dropped EXE
PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:4396
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵
- Executes dropped EXE
PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:1808
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵
- Executes dropped EXE
PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:6100
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:3832
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵
- Executes dropped EXE
PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵
- Executes dropped EXE
PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:460 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵
- Executes dropped EXE
PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵
- Executes dropped EXE
PID:5288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:5492
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:2792
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵
- Executes dropped EXE
PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:724
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:1528
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Executes dropped EXE
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5276
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵
- Executes dropped EXE
PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:3344
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4552
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵
- Executes dropped EXE
PID:364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:4808
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:2124
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:2312
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:3856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4920
-
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:4852
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:3832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:3960
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4092
-
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:5900
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:1032
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:2152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:2268
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:5812
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:2720
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:1516
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:800 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:4780
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4852
-
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:2028
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:1208
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5076
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5420
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:1160
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:4596
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:3332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5028
-
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:2448
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2852
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5020
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:3992
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:4040
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:756
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:3856
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:220 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:2996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3728
-
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:460
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:3036
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:3160
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5076
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:1736
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:3124
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5856
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5636
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:3452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2776
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:5200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2552
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:4416
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:5788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:2636
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:5652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:4860
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:5464
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:5840
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:2600
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:4476
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:1072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:4972
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:1516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5932
-
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:5492
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:1712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:3272
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:3084
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:1996
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2148
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:956 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3756
-
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:2288
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2600
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5420
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- Checks computer location settings
PID:5816 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5968
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:3172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:4688
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:5008
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:3484
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4208
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:1832
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:1332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:632
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4628
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5048
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:5880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5336
-
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:460 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:1500
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5972
-
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:3052
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:5456
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:5420
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4312
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:3172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2092
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:5268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:376
-
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:5536
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:3064
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:2708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5256 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3344
-
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:4088
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:856 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:5764
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5616
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:436
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:5408
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:1332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3176
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:2624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:4188
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:6080
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:632
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:2856
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5812
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵
- Checks computer location settings
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:4880
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:4980
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:508 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:432 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:1684
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5940
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4688
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵
- Checks computer location settings
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:5968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:5504
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:3856
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:3544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:2088
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:3932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6016
-
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:4304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:956
-
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:2028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:856
-
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:2248
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:1380
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:3964
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:4516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2328
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:3744
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:5876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5892
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:1684
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:2220
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5708
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5292
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:5096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:3088
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:2144
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:5228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:804
-
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:2828
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:4708
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:4724
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:2892
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5296
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:364
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2536
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:3488
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:116
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:5812
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:1664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5256
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:4192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:692
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:3584
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:4904
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:4092
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4724
-
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:5464
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5424
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5708
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2412
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:2852
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:4224
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:724
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:1628
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:1456
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:4676
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:5452
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:408
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:3908
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5632
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:4796
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:2424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:5612
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:648
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5032
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:5920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:1268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe1⤵PID:2776
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe2⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:6096
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:4652
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:3348
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:3036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:1996
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5828
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:3908
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4380
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:5700
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:5780
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5388
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:3324
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exeC:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\tieoizqiskeqflaz.exe*."3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:3856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:2132
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4504
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe .2⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4224
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe .1⤵PID:708
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqnytldwhaviyfvvi.exe*."3⤵PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\haaomhcymigwpzsvlndw.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:5976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1876
-
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:4864
-
C:\Windows\haaomhcymigwpzsvlndw.exehaaomhcymigwpzsvlndw.exe .2⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\haaomhcymigwpzsvlndw.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5376
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:1068
-
C:\Windows\umlyvpjermjyqzrtijy.exeumlyvpjermjyqzrtijy.exe .2⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\umlyvpjermjyqzrtijy.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exeC:\Users\Admin\AppData\Local\Temp\jaykgzsmysoctbsthh.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaykgzsmysoctbsthh.exe*."3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exeC:\Users\Admin\AppData\Local\Temp\haaomhcymigwpzsvlndw.exe2⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .2⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\wqrgfbxujgfwqbvzqtkef.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:5564
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:4304
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:4220
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2928
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\tieoizqiskeqflaz.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exeC:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\umlyvpjermjyqzrtijy.exe*."3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe1⤵PID:3324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exeC:\Users\Admin\AppData\Local\Temp\umlyvpjermjyqzrtijy.exe2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exeC:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqnytldwhaviyfvvi.exe*."3⤵PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnytldwhaviyfvvi.exe1⤵PID:4176
-
C:\Windows\aqnytldwhaviyfvvi.exeaqnytldwhaviyfvvi.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe1⤵PID:2772
-
C:\Windows\wqrgfbxujgfwqbvzqtkef.exewqrgfbxujgfwqbvzqtkef.exe2⤵PID:1300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe .1⤵PID:5872
-
C:\Windows\jaykgzsmysoctbsthh.exejaykgzsmysoctbsthh.exe .2⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe"C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\jaykgzsmysoctbsthh.exe*."3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe1⤵PID:4576
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieoizqiskeqflaz.exe .1⤵PID:2240
-
C:\Windows\tieoizqiskeqflaz.exetieoizqiskeqflaz.exe .2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe1⤵PID:5724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haaomhcymigwpzsvlndw.exe .1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:2424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jaykgzsmysoctbsthh.exe1⤵PID:5980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieoizqiskeqflaz.exe1⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlyvpjermjyqzrtijy.exe .1⤵PID:116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrgfbxujgfwqbvzqtkef.exe .1⤵PID:4976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnytldwhaviyfvvi.exe1⤵PID:4512
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD56c59c253071c00f3cf039cc32f7b714b
SHA19a9b11d54a67e560678842a274655d1205dd1c27
SHA256c14775c097be583b6c6c8ea53ae024c1e4468e4b87a9584603dcab0c89076023
SHA512f55d9c789d2c7abb11934b94c87db63aca687cbdf51bd4f8e753a4ba8cfd4069fbfd7a936ba122331c53d00d4e384378a1b771e438a2911db01fcedf543bee38
-
Filesize
120B
MD5ad26c91b0c12f06158b53d065dbb371f
SHA14c91656e839f4456efd0971abba9fb190209e4d1
SHA2569d9c246f888146f92fbab88be4b0017e42e135360d642f25c60462fe1add998d
SHA512368e95dd9905acf566912ccd120d9fcaeaea3b902d9f8730754a20ae2043b2517e5f6776b8add11b419b21036ba5ff17325d05bd3abe3570e9ca4bd67b414da2
-
Filesize
120B
MD56c8e33de6c120c7fbc02824ffce458e4
SHA1eae802f217333fb8fdec2ba712dc06b1e024c91f
SHA256b0fe705c520b41251a16c677fe700fb3b5b34a4be33965ac0037c395284d550f
SHA5128371762e885b246b4278c74075b3247fedbd803a2db03f31f35e461b3ab932b22a332a203585b25f8d7ecdfe0ab469badd03c02c0cef9a050a97b2fabe578fb0
-
Filesize
120B
MD598de08751087e9d0a4965c3ed7e955ce
SHA1fbab36d5a1f24acdf35c7f5dc168f0ce4e8c2726
SHA25641ff0fc6c76494d8596977538af6b49931bab4a6ceeb6dde7f590b665aa5a2ee
SHA5128db259c91c816d3789b7851d620c1f6bc0ec8424269d0c9ab7765dede0b30c049c79add0ab361bfd2dcc0fc1e4169f2ace9b101c67f955f388318c435dc9c237
-
Filesize
120B
MD55fd690adfcb271f08acc758878a0beba
SHA10be43201985fb0f25c4205800694bff6ef5a515a
SHA256d28a728ae2d449fc0cbb3a0675c175c53ba4d33d91c95570b2f3a371612e5814
SHA5122cbef223ca7fa04ba63ab03901a40473e2441c73c443422fc733139ab111f145ea522f6f9482501ac97cd550595adfe817821aa6f084b64dba656e6058d6de44
-
Filesize
120B
MD5041c888b48b5c809d7cff216e819eee1
SHA1d56e72c91a9e691dbe319b6781af8cd0411b5d00
SHA25677432700c095497f69acf30e1eff8527f163f55966b279f40aad40ca40a77643
SHA5128e97af72c91b75eae1727fea45c0e8016af9250bf1a3df7f104061ee39fa50d6daea34324e229a9e426a240c38fc54f7290a9ada080c0128301f8665b3ddadb0
-
Filesize
668KB
MD500d3e24dcf409ac926fab68da7f97e67
SHA1131eb56e1b5dc09f17be395c6294d690a58ed45b
SHA256b8154726e58a62b52e2860717b0f0f2bbdecaa2f9e32ed521cb2bd31442ed4be
SHA512f60ea70e785b5e82ba81b9968e716fd2fa5b9fe9bffee2aa3736648fa41450ddf9748e8df0f149412de5199fb7cd5767202baf9c18a41336094001692537d7ec
-
Filesize
308KB
MD585cb856b920e7b0b7b75115336fc2af2
SHA11d1a207efec2f5187583b652c35aef74ee4c473f
SHA2566fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8
-
Filesize
3KB
MD5adc93a8f3b7ba5cbc9d31ca4c1548752
SHA117eed569c29985c23eeb38ecd311364caabae9a9
SHA25676b3257f7b2040cc0b2ff45c3dd401513f41e122ac64bf054e39737f7fdb3386
SHA512ab985d2e22d3fdf7fbf7fe23992eb2fc181ca327bad0f77b0cca079cef488bbfe89f4a87413bc5894e15658e5a9186b5d1f4251bd8cbfee2702b3f5e6cacc40b
-
Filesize
120B
MD53013495010498d20972a875e33769ca4
SHA1045a7f520b90249cdfe3aa17ac65eb9ebfe9b720
SHA2560f431deaa72269ed461bb4d6a16ac30ca83981a7a326acf3386e437b43bff3e4
SHA512101319fcb5217191b729d0142b173648ef129ef4c6b783f747d6676eece5c5ff862cbacc5a98d9e781fd76235be94c6e9b5869b1f126a7a5eed3268637820824
-
Filesize
480KB
MD5c7e5d9b24e40b9b5909256350f70b10b
SHA1fb9d569e524b0cbe1f4a4a600ada58f687a7aee4
SHA2562e7aa86c211bcba2701f0d5acd491714bcbaf5f5cd6e930bc9795fdfb2a7f859
SHA5122cb935a8f5f1bc4fafbcd7de1bd3dabe65e31a2f3f860dcfbc65aad89242841e59fc6fffec922f20f4c983723329503060b00e4e7152873730c7de41b93a17ea