Analysis
-
max time kernel
61s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe
-
Size
636KB
-
MD5
c80bb333a03aefa2ebc92b2d4851eaed
-
SHA1
e8f4a6c6537522d8c9e187f4cc2ae47252c39e6f
-
SHA256
26aa0051cdca76b6fea6ef46de623fc60b21b3adcb3100e3366ab638fe9c3a38
-
SHA512
5a2d9a4c626761a0b9ce6eca4d21453a35ea91d29a17a7ebef69d0cccf7dd86accc8ed395437578e329e6aea98dd6cb05c02a7b53ffb8014400f11a6041da4f9
-
SSDEEP
12288:2pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsbS5jjcS5jA:2pUNr6YkVRFkgbeqeo68FhqW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe -
Pykspa family
-
UAC bypass 3 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001b00000002acc0-4.dat family_pykspa behavioral2/files/0x001900000002b213-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "zqjbymfxulusmvhqvrd.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "meyrpeyrphrqlvisyvia.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "oewnjwofbrzwpxiqup.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ygqznsclzh = "bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zelrcel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe -
Executes dropped EXE 64 IoCs
pid Process 2500 gwijnolzqgs.exe 5728 bupjiytnmfqqmxlwdbpid.exe 4960 meyrpeyrphrqlvisyvia.exe 4972 gwijnolzqgs.exe 844 oewnjwofbrzwpxiqup.exe 5448 zqjbymfxulusmvhqvrd.exe 4336 gwijnolzqgs.exe 4444 fulbwizpkzgcublsv.exe 5856 zqjbymfxulusmvhqvrd.exe 432 gwijnolzqgs.exe 5812 oewnjwofbrzwpxiqup.exe 3876 zqjbymfxulusmvhqvrd.exe 792 gwijnolzqgs.exe 4176 mqwblm.exe 1956 mqwblm.exe 3352 zqjbymfxulusmvhqvrd.exe 5924 oewnjwofbrzwpxiqup.exe 2120 gwijnolzqgs.exe 5960 meyrpeyrphrqlvisyvia.exe 904 zqjbymfxulusmvhqvrd.exe 2284 ymcrlwmbvjpkbhqw.exe 1164 meyrpeyrphrqlvisyvia.exe 5832 gwijnolzqgs.exe 3004 gwijnolzqgs.exe 1120 fulbwizpkzgcublsv.exe 1840 meyrpeyrphrqlvisyvia.exe 5824 oewnjwofbrzwpxiqup.exe 4716 fulbwizpkzgcublsv.exe 5612 gwijnolzqgs.exe 2296 ymcrlwmbvjpkbhqw.exe 4636 oewnjwofbrzwpxiqup.exe 1364 gwijnolzqgs.exe 4000 ymcrlwmbvjpkbhqw.exe 4820 ymcrlwmbvjpkbhqw.exe 4624 gwijnolzqgs.exe 6140 oewnjwofbrzwpxiqup.exe 3520 gwijnolzqgs.exe 5292 oewnjwofbrzwpxiqup.exe 2368 gwijnolzqgs.exe 5728 bupjiytnmfqqmxlwdbpid.exe 4276 zqjbymfxulusmvhqvrd.exe 5040 gwijnolzqgs.exe 5160 zqjbymfxulusmvhqvrd.exe 5748 zqjbymfxulusmvhqvrd.exe 5140 oewnjwofbrzwpxiqup.exe 4900 gwijnolzqgs.exe 2448 fulbwizpkzgcublsv.exe 3588 gwijnolzqgs.exe 4796 zqjbymfxulusmvhqvrd.exe 1532 zqjbymfxulusmvhqvrd.exe 5032 gwijnolzqgs.exe 3360 zqjbymfxulusmvhqvrd.exe 3476 ymcrlwmbvjpkbhqw.exe 2320 gwijnolzqgs.exe 5640 fulbwizpkzgcublsv.exe 5956 meyrpeyrphrqlvisyvia.exe 2904 bupjiytnmfqqmxlwdbpid.exe 908 oewnjwofbrzwpxiqup.exe 1256 gwijnolzqgs.exe 4556 fulbwizpkzgcublsv.exe 480 ymcrlwmbvjpkbhqw.exe 5572 oewnjwofbrzwpxiqup.exe 5652 gwijnolzqgs.exe 1860 oewnjwofbrzwpxiqup.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mqwblm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mqwblm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mqwblm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mqwblm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mqwblm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mqwblm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "bupjiytnmfqqmxlwdbpid.exe ." mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "oewnjwofbrzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "fulbwizpkzgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "oewnjwofbrzwpxiqup.exe ." mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe ." mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcrlwmbvjpkbhqw.exe ." mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "fulbwizpkzgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "bupjiytnmfqqmxlwdbpid.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "fulbwizpkzgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "ymcrlwmbvjpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "ymcrlwmbvjpkbhqw.exe" mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "oewnjwofbrzwpxiqup.exe ." mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "oewnjwofbrzwpxiqup.exe" mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "ymcrlwmbvjpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "ymcrlwmbvjpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "meyrpeyrphrqlvisyvia.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qamxnugrhrtk = "fulbwizpkzgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "fulbwizpkzgcublsv.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "fulbwizpkzgcublsv.exe ." mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcrlwmbvjpkbhqw.exe" mqwblm.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "meyrpeyrphrqlvisyvia.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqdvesfxjngvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "fulbwizpkzgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\panzqylxozcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulbwizpkzgcublsv.exe" mqwblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fmvdqudly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupjiytnmfqqmxlwdbpid.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnxmsdnclm = "ymcrlwmbvjpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjbymfxulusmvhqvrd.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\oucjvygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewnjwofbrzwpxiqup.exe" gwijnolzqgs.exe -
Checks whether UAC is enabled 1 TTPs 62 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mqwblm.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.whatismyip.ca 1 whatismyip.everdot.org 1 www.showmyipaddress.com 1 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf mqwblm.exe File opened for modification C:\autorun.inf mqwblm.exe File created C:\autorun.inf mqwblm.exe File opened for modification F:\autorun.inf mqwblm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\fulbwizpkzgcublsv.exe mqwblm.exe File opened for modification C:\Windows\SysWOW64\suybjimpxztchbysipmosvdcgj.tnw mqwblm.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\suybjimpxztchbysipmosvdcgj.tnw mqwblm.exe File created C:\Program Files (x86)\suybjimpxztchbysipmosvdcgj.tnw mqwblm.exe File opened for modification C:\Program Files (x86)\tgvjcmbpivaukpxcdvdqftmwlzsfkeuzhmnfn.pdw mqwblm.exe File created C:\Program Files (x86)\tgvjcmbpivaukpxcdvdqftmwlzsfkeuzhmnfn.pdw mqwblm.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File created C:\Windows\suybjimpxztchbysipmosvdcgj.tnw mqwblm.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\tgvjcmbpivaukpxcdvdqftmwlzsfkeuzhmnfn.pdw mqwblm.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\smidduqllfrspbqckjysoj.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\bupjiytnmfqqmxlwdbpid.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\ymcrlwmbvjpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\fulbwizpkzgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\zqjbymfxulusmvhqvrd.exe gwijnolzqgs.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe File opened for modification C:\Windows\oewnjwofbrzwpxiqup.exe mqwblm.exe File opened for modification C:\Windows\meyrpeyrphrqlvisyvia.exe gwijnolzqgs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqwblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gwijnolzqgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meyrpeyrphrqlvisyvia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulbwizpkzgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bupjiytnmfqqmxlwdbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oewnjwofbrzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqjbymfxulusmvhqvrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymcrlwmbvjpkbhqw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 4176 mqwblm.exe 4176 mqwblm.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 4176 mqwblm.exe 4176 mqwblm.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4176 mqwblm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 2500 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 78 PID 3536 wrote to memory of 2500 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 78 PID 3536 wrote to memory of 2500 3536 JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe 78 PID 3092 wrote to memory of 5728 3092 cmd.exe 81 PID 3092 wrote to memory of 5728 3092 cmd.exe 81 PID 3092 wrote to memory of 5728 3092 cmd.exe 81 PID 4880 wrote to memory of 4960 4880 cmd.exe 84 PID 4880 wrote to memory of 4960 4880 cmd.exe 84 PID 4880 wrote to memory of 4960 4880 cmd.exe 84 PID 4960 wrote to memory of 4972 4960 meyrpeyrphrqlvisyvia.exe 85 PID 4960 wrote to memory of 4972 4960 meyrpeyrphrqlvisyvia.exe 85 PID 4960 wrote to memory of 4972 4960 meyrpeyrphrqlvisyvia.exe 85 PID 5076 wrote to memory of 844 5076 cmd.exe 88 PID 5076 wrote to memory of 844 5076 cmd.exe 88 PID 5076 wrote to memory of 844 5076 cmd.exe 88 PID 4496 wrote to memory of 5448 4496 cmd.exe 91 PID 4496 wrote to memory of 5448 4496 cmd.exe 91 PID 4496 wrote to memory of 5448 4496 cmd.exe 91 PID 5448 wrote to memory of 4336 5448 zqjbymfxulusmvhqvrd.exe 94 PID 5448 wrote to memory of 4336 5448 zqjbymfxulusmvhqvrd.exe 94 PID 5448 wrote to memory of 4336 5448 zqjbymfxulusmvhqvrd.exe 94 PID 3040 wrote to memory of 4444 3040 cmd.exe 95 PID 3040 wrote to memory of 4444 3040 cmd.exe 95 PID 3040 wrote to memory of 4444 3040 cmd.exe 95 PID 5884 wrote to memory of 5856 5884 cmd.exe 98 PID 5884 wrote to memory of 5856 5884 cmd.exe 98 PID 5884 wrote to memory of 5856 5884 cmd.exe 98 PID 5856 wrote to memory of 432 5856 zqjbymfxulusmvhqvrd.exe 99 PID 5856 wrote to memory of 432 5856 zqjbymfxulusmvhqvrd.exe 99 PID 5856 wrote to memory of 432 5856 zqjbymfxulusmvhqvrd.exe 99 PID 5660 wrote to memory of 5812 5660 cmd.exe 102 PID 5660 wrote to memory of 5812 5660 cmd.exe 102 PID 5660 wrote to memory of 5812 5660 cmd.exe 102 PID 1744 wrote to memory of 3876 1744 cmd.exe 105 PID 1744 wrote to memory of 3876 1744 cmd.exe 105 PID 1744 wrote to memory of 3876 1744 cmd.exe 105 PID 3876 wrote to memory of 792 3876 zqjbymfxulusmvhqvrd.exe 106 PID 3876 wrote to memory of 792 3876 zqjbymfxulusmvhqvrd.exe 106 PID 3876 wrote to memory of 792 3876 zqjbymfxulusmvhqvrd.exe 106 PID 2500 wrote to memory of 4176 2500 gwijnolzqgs.exe 107 PID 2500 wrote to memory of 4176 2500 gwijnolzqgs.exe 107 PID 2500 wrote to memory of 4176 2500 gwijnolzqgs.exe 107 PID 2500 wrote to memory of 1956 2500 gwijnolzqgs.exe 108 PID 2500 wrote to memory of 1956 2500 gwijnolzqgs.exe 108 PID 2500 wrote to memory of 1956 2500 gwijnolzqgs.exe 108 PID 3296 wrote to memory of 3352 3296 cmd.exe 111 PID 3296 wrote to memory of 3352 3296 cmd.exe 111 PID 3296 wrote to memory of 3352 3296 cmd.exe 111 PID 5068 wrote to memory of 5924 5068 cmd.exe 114 PID 5068 wrote to memory of 5924 5068 cmd.exe 114 PID 5068 wrote to memory of 5924 5068 cmd.exe 114 PID 5924 wrote to memory of 2120 5924 oewnjwofbrzwpxiqup.exe 117 PID 5924 wrote to memory of 2120 5924 oewnjwofbrzwpxiqup.exe 117 PID 5924 wrote to memory of 2120 5924 oewnjwofbrzwpxiqup.exe 117 PID 4928 wrote to memory of 5960 4928 cmd.exe 119 PID 4928 wrote to memory of 5960 4928 cmd.exe 119 PID 4928 wrote to memory of 5960 4928 cmd.exe 119 PID 2788 wrote to memory of 904 2788 cmd.exe 121 PID 2788 wrote to memory of 904 2788 cmd.exe 121 PID 2788 wrote to memory of 904 2788 cmd.exe 121 PID 980 wrote to memory of 2284 980 cmd.exe 126 PID 980 wrote to memory of 2284 980 cmd.exe 126 PID 980 wrote to memory of 2284 980 cmd.exe 126 PID 1476 wrote to memory of 1164 1476 cmd.exe 127 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqwblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mqwblm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80bb333a03aefa2ebc92b2d4851eaed.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\mqwblm.exe"C:\Users\Admin\AppData\Local\Temp\mqwblm.exe" "-C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\mqwblm.exe"C:\Users\Admin\AppData\Local\Temp\mqwblm.exe" "-C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- System policy modification
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵
- Executes dropped EXE
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵
- Executes dropped EXE
PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵
- Executes dropped EXE
PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Executes dropped EXE
PID:432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5660 -
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵
- Executes dropped EXE
PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Executes dropped EXE
PID:792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵
- Executes dropped EXE
PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵
- Executes dropped EXE
PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵
- Executes dropped EXE
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵
- Executes dropped EXE
PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵
- Executes dropped EXE
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:3064
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵
- Executes dropped EXE
PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:3448
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵
- Executes dropped EXE
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵
- Executes dropped EXE
PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵
- Executes dropped EXE
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵
- Executes dropped EXE
PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵
- Executes dropped EXE
PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
PID:5292 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:4868
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵
- Executes dropped EXE
PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:4996
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵
- Executes dropped EXE
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:4912
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵
- Executes dropped EXE
PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:5048
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵
- Executes dropped EXE
PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵
- Executes dropped EXE
PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵
- Executes dropped EXE
PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:3464
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵
- Executes dropped EXE
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4684
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵
- Executes dropped EXE
PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:4452
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵
- Executes dropped EXE
PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:2536
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵
- Executes dropped EXE
PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4788
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵
- Executes dropped EXE
PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:1816
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5620
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵
- Executes dropped EXE
PID:480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5916
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵
- Executes dropped EXE
PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4056
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:6080
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:6016
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:2500
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5720
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4872
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:5272
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:8
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:2420
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4060
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:3324
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:3276
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2632
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:5264
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1400
-
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:5688
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:916
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:5340
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:5136
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:1980
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2780
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:4248
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:3040
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2448
-
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:3812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5640
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4060
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:6056
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:2752
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:1872
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2156
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:2388
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:5616
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5276
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:2276
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:5788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:5124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2108
-
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:2728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:2860
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4864
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:4600
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:5040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5008
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:5232
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:4336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:1392
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2720
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:2904
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:3352
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:2908
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:1936
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:2556
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:1432
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:5696
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:2844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2728
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:3028
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4828
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5272
-
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:1412
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:4640
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:3528
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:5908
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2868
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:2396
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:1836
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:2504
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:1840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2020
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:4644
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:2656
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3492
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:2548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5728
-
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:4988
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4604
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5056
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:5672
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:2824
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:3528
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:2356
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:1716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4876
-
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4788
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:3468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:4236
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:1172
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:2700
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:1244
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:6052
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:3164
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5888
-
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:1384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:4204
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:1832
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:3696
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:1624
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5708
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:3324
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:4664
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:2348
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:5280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:5608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3300
-
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:1496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:1088
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2272
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:5860
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4856
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:4012
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4732
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:2084
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:3952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5904
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:4796
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:2004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1736
-
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:4248
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1588
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1808
-
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:1008
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5608
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:840
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:480
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:4300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:3064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5476
-
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:1596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:2460
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:2284
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:720
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:564
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:2656
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4820
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:2300
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:6112
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4652
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:5724
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:5016
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:2392
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1808
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:1760
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:5060
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:4780
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4660
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:3340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1604
-
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:3268
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:1044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:3496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:1140
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:2408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:5340
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:4496
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4992
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:4888
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4336
-
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe1⤵PID:644
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:4832
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:3712
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:648
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:3932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3240
-
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:5692
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:1012
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:5540
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:3024
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:4012
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5024
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:4988
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:2140
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:5140
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:4232
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:5592
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:4848
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:1056
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:5884
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe .2⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zqjbymfxulusmvhqvrd.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe .1⤵PID:1588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4492
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\meyrpeyrphrqlvisyvia.exe*."3⤵PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:6088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe1⤵PID:2596
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:3668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:1496
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:5640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:744
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1012
-
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:720
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:1472
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:4136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:2252
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4600
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5436
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:4728
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe1⤵PID:5672
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe2⤵PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:2428
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:5080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3116
-
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:1008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oewnjwofbrzwpxiqup.exe .1⤵PID:4416
-
C:\Windows\oewnjwofbrzwpxiqup.exeoewnjwofbrzwpxiqup.exe .2⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\oewnjwofbrzwpxiqup.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe1⤵PID:792
-
C:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exeC:\Users\Admin\AppData\Local\Temp\zqjbymfxulusmvhqvrd.exe2⤵PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .1⤵PID:1964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5572
-
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe1⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exeC:\Users\Admin\AppData\Local\Temp\bupjiytnmfqqmxlwdbpid.exe2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:5688
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bupjiytnmfqqmxlwdbpid.exe .1⤵PID:6056
-
C:\Windows\bupjiytnmfqqmxlwdbpid.exebupjiytnmfqqmxlwdbpid.exe .2⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bupjiytnmfqqmxlwdbpid.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe1⤵PID:2412
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe2⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fulbwizpkzgcublsv.exe .1⤵PID:2220
-
C:\Windows\fulbwizpkzgcublsv.exefulbwizpkzgcublsv.exe .2⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fulbwizpkzgcublsv.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .1⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe .2⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ymcrlwmbvjpkbhqw.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe1⤵PID:1984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\ymcrlwmbvjpkbhqw.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\oewnjwofbrzwpxiqup.exe .2⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\oewnjwofbrzwpxiqup.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe1⤵PID:1044
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zqjbymfxulusmvhqvrd.exe .1⤵PID:3740
-
C:\Windows\zqjbymfxulusmvhqvrd.exezqjbymfxulusmvhqvrd.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zqjbymfxulusmvhqvrd.exe*."3⤵PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c meyrpeyrphrqlvisyvia.exe1⤵PID:4012
-
C:\Windows\meyrpeyrphrqlvisyvia.exemeyrpeyrphrqlvisyvia.exe2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ymcrlwmbvjpkbhqw.exe .1⤵PID:4000
-
C:\Windows\ymcrlwmbvjpkbhqw.exeymcrlwmbvjpkbhqw.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ymcrlwmbvjpkbhqw.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe1⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\meyrpeyrphrqlvisyvia.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exeC:\Users\Admin\AppData\Local\Temp\meyrpeyrphrqlvisyvia.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exeC:\Users\Admin\AppData\Local\Temp\fulbwizpkzgcublsv.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fulbwizpkzgcublsv.exe*."3⤵PID:5024
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5f8d2913d1acbe07f96efaf2472a2dc28
SHA193ffd7ac289b2e1125eb894cf4fa83ab2f1644ba
SHA2564fdba647e7e86a3ce8f25643bd9500e983ac6f755cec88cf7ce4b06c9bf03ec4
SHA5125c99144f95e9d8e3ec4e08a4f55f4ba558ca7291427e0874b5d39d812ff7698e0e7d7bd6f5cb6b2cd8aafa833fb533938695423b55591459b6d1df04b7bc7599
-
Filesize
280B
MD5a52aa074bdedaa60c0fd9de757d95743
SHA167533c43f13f59bd295c664c78db5bcdce1102fa
SHA2564cdfd49468ae78544c9d1cb932c915141eedc4738c48a132fbab57203b2cd504
SHA51287f349b41e1c175bc486506df554adf0ce99a257ea3d3dadf003cf305596b23870c7334b71717bd6ebf9a69e0cabe04e16ce06f6ea1e683c8db751b2a2f72525
-
Filesize
280B
MD51931bbea9661362ba2ff96dfdd5a90de
SHA1f79d0a1ba27365082a33e489953b84ad316809ac
SHA256f6d84a0472cf9e2e10b4fcb54e6d1852725517a0be632a910ade7e48c4e5952f
SHA512ae3d9eb6ba87a069f29fbfcda9de4204410f49871868c175fc5d0e341c4b4a3f0b846345409045ecb07f576d52ac79b0b523611aa07466cd5291f5535f35e715
-
Filesize
280B
MD5f6221ce8aa1689f209c1434f083c8597
SHA1450f15e329b769901472a9d72685014e08c1f505
SHA25649a68827faedf19744719f202be26ecc2bfeecc87deeda1298c2448ee133db70
SHA5124d06003989d940bb5733da128c1e3a8b3e3f128b06bb7b0de0014a85677c875c52734804bf6ee51dc2f527d6a45e4b67fc3ecb65275d1e7a621ff71d83ccb823
-
Filesize
280B
MD51b7665b9ab464d2540cf3869208b5903
SHA1fb805a93ea3a6e446b2352a6549b37dc5aba33be
SHA256b41f88d9b45dcf674835551337ee6a2fd641bf97c0d7444c25a01cffdafc8a45
SHA51259ad5222ae7a69d5f960ab2776aa050731388cd951c8eee0abbe6ab8f460fc6a2d39dc3b608a61ae4f91ef9c9e9fdc782d2a19c5f2e700e044cf0a716ca7ce59
-
Filesize
280B
MD5eed8f7012d937cde7346b4e4d5bc2ab5
SHA12cd7d65aa07b31dbeda62b3621f709b4d58bf780
SHA256bfe139967a9575e4581a8bd65b16cae8e100ae147997cc96c6181d26de165d0d
SHA5121e7f90a5ac3fc68ec0d3c12cad5008b1a84f936def8716a68303b29d18ccb80205de23574a45eb093c43c3ee0e79abd57cc0cde7b769c389f5c5eac620bc6d52
-
Filesize
320KB
MD5453e59989cd5159a2dd655cddce63526
SHA107757c046b6ef971d83fb4521b647783775c1956
SHA2562fec8307412b25dd288fa1247a5a073b4e9b746b682023646969e91f451f9772
SHA512850852f6e2ba9195ee2ec99190cb467c55b129221c866fd5d45aa0fc6d4e774f14fcb4001b6460e563756df5213d10aefcf7f753fde5a921eae0b8d54acb3f13
-
Filesize
724KB
MD56ccb9e03f999b8bd9fabb0c85e8a17a7
SHA1daafb7129c76cd27975d9c073a580e31ad2ddb8b
SHA256a03b3c8ce747d5dc6cbb22eca4df4994e4818d7bd15da7f60fdd0c8a91688423
SHA5122f0357a5158c629644acac212910f1365cc989fb967394f6e4754e8e9ee7d1a4b034e8d12a3a7fb7eac34e7eb4a8d494f66201babcde7668fb4e02a40e1ecb6d
-
Filesize
280B
MD53e45cb14c321528df0876bd9520880af
SHA1276444d01f90a64f2779ee5ebaee99f3c270ef53
SHA2568b78d31a27841a63f193dfe15a90a9f79932d81d708b319eb16239816bf66ca4
SHA512265445a5afb5a04348ea7b37dc7c95c83a79fffa6639166628bb6bf5f0cb170fc0cb579241751aeaa3b90e98c97a9b19895099a34826b98225578d2d0fbe27a5
-
Filesize
4KB
MD52e2a32327ae311f5dad167de97bb9a6e
SHA1cb0cec255b4e289dcf7a52d1722b2d2c3cd09033
SHA2562a04ae8c59d9fe70114af8fe2cbb0e6726019ea803e7977619b8b2aee28112c0
SHA51246dd0ff700b937213ee0fa1464a730b7afc99537c4fb1691de8655d9bf31f455b387b4962d7d5cf48f8cd0ac56536d0dbc3f57c8cfff5b8242a6ca126194fcf1
-
Filesize
636KB
MD5c80bb333a03aefa2ebc92b2d4851eaed
SHA1e8f4a6c6537522d8c9e187f4cc2ae47252c39e6f
SHA25626aa0051cdca76b6fea6ef46de623fc60b21b3adcb3100e3366ab638fe9c3a38
SHA5125a2d9a4c626761a0b9ce6eca4d21453a35ea91d29a17a7ebef69d0cccf7dd86accc8ed395437578e329e6aea98dd6cb05c02a7b53ffb8014400f11a6041da4f9