Analysis
-
max time kernel
53s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
-
Size
640KB
-
MD5
c80e476ddc2450c7d1bf465e8796f0d6
-
SHA1
c01e78777fbd41c983942ef10546613ce2537f5b
-
SHA256
cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
-
SHA512
6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832
-
SSDEEP
12288:vIXsgtvm1De5YlOx6lzBH46U0yxeco7pQS/L7no2aT:vU81yMBbfyno7pQS/LBaT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gncxrwpmqxm.exe -
Pykspa family
-
UAC bypass 3 TTPs 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00050000000227b2-4.dat family_pykspa behavioral1/files/0x0007000000024355-88.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation gncxrwpmqxm.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation zmggytderlujgjlyzed.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation yizwldkisjpbvvue.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation fqigwpxwhzgtoppaz.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation bqmoifrujfqhglpehopea.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mavwplwymhrhfjmaciiw.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation oatsjdmmyrznjlmyyc.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 gncxrwpmqxm.exe 4716 bqmoifrujfqhglpehopea.exe 4932 oatsjdmmyrznjlmyyc.exe 3584 gncxrwpmqxm.exe 3644 zmggytderlujgjlyzed.exe 5056 yizwldkisjpbvvue.exe 5012 gncxrwpmqxm.exe 5032 zmggytderlujgjlyzed.exe 3724 bqmoifrujfqhglpehopea.exe 3592 gncxrwpmqxm.exe 3024 fqigwpxwhzgtoppaz.exe 5008 mavwplwymhrhfjmaciiw.exe 5236 gncxrwpmqxm.exe 5836 bagsw.exe 1076 bagsw.exe 5436 zmggytderlujgjlyzed.exe 5432 fqigwpxwhzgtoppaz.exe 696 zmggytderlujgjlyzed.exe 5780 fqigwpxwhzgtoppaz.exe 5880 gncxrwpmqxm.exe 1796 gncxrwpmqxm.exe 1380 yizwldkisjpbvvue.exe 4460 oatsjdmmyrznjlmyyc.exe 3976 zmggytderlujgjlyzed.exe 2888 yizwldkisjpbvvue.exe 5968 fqigwpxwhzgtoppaz.exe 3628 mavwplwymhrhfjmaciiw.exe 4172 oatsjdmmyrznjlmyyc.exe 2112 bqmoifrujfqhglpehopea.exe 5760 gncxrwpmqxm.exe 1752 gncxrwpmqxm.exe 3860 gncxrwpmqxm.exe 3568 gncxrwpmqxm.exe 5068 fqigwpxwhzgtoppaz.exe 5080 zmggytderlujgjlyzed.exe 2336 oatsjdmmyrznjlmyyc.exe 4912 mavwplwymhrhfjmaciiw.exe 4948 gncxrwpmqxm.exe 664 gncxrwpmqxm.exe 772 fqigwpxwhzgtoppaz.exe 844 oatsjdmmyrznjlmyyc.exe 1440 gncxrwpmqxm.exe 8 yizwldkisjpbvvue.exe 2372 zmggytderlujgjlyzed.exe 2032 yizwldkisjpbvvue.exe 5464 gncxrwpmqxm.exe 1056 mavwplwymhrhfjmaciiw.exe 2220 gncxrwpmqxm.exe 648 yizwldkisjpbvvue.exe 2856 fqigwpxwhzgtoppaz.exe 5488 gncxrwpmqxm.exe 1880 zmggytderlujgjlyzed.exe 2940 yizwldkisjpbvvue.exe 2848 yizwldkisjpbvvue.exe 2988 bqmoifrujfqhglpehopea.exe 4040 gncxrwpmqxm.exe 2608 mavwplwymhrhfjmaciiw.exe 3540 yizwldkisjpbvvue.exe 1060 bqmoifrujfqhglpehopea.exe 4952 yizwldkisjpbvvue.exe 4756 bqmoifrujfqhglpehopea.exe 1308 gncxrwpmqxm.exe 4700 gncxrwpmqxm.exe 5660 gncxrwpmqxm.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bagsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bagsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bagsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bagsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bagsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bagsw.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "zmggytderlujgjlyzed.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" bagsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." bagsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." bagsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "oatsjdmmyrznjlmyyc.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "mavwplwymhrhfjmaciiw.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "yizwldkisjpbvvue.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." bagsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." bagsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" bagsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." gncxrwpmqxm.exe -
Checks whether UAC is enabled 1 TTPs 50 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bagsw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bagsw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bagsw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bagsw.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 www.whatismyip.ca 14 whatismyip.everdot.org 25 www.whatismyip.ca 29 whatismyip.everdot.org 34 whatismyipaddress.com 38 www.whatismyip.ca 21 www.showmyipaddress.com 30 www.whatismyip.ca 37 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf bagsw.exe File created C:\autorun.inf bagsw.exe File opened for modification F:\autorun.inf bagsw.exe File created F:\autorun.inf bagsw.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph bagsw.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe bagsw.exe File created C:\Windows\SysWOW64\bagswdzmlrmnwlzylcnmseiplyx.yzi bagsw.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe bagsw.exe File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi bagsw.exe File created C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi bagsw.exe File opened for modification C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph bagsw.exe File created C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph bagsw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe bagsw.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe bagsw.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe bagsw.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe bagsw.exe File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe bagsw.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe bagsw.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi bagsw.exe File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\zmggytderlujgjlyzed.exe gncxrwpmqxm.exe File created C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi bagsw.exe File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe gncxrwpmqxm.exe File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe gncxrwpmqxm.exe File opened for modification C:\Windows\yizwldkisjpbvvue.exe gncxrwpmqxm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bagsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mavwplwymhrhfjmaciiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmggytderlujgjlyzed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yizwldkisjpbvvue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oatsjdmmyrznjlmyyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqmoifrujfqhglpehopea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqigwpxwhzgtoppaz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5836 bagsw.exe 5836 bagsw.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5836 bagsw.exe 5836 bagsw.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5836 bagsw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5504 wrote to memory of 2976 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 88 PID 5504 wrote to memory of 2976 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 88 PID 5504 wrote to memory of 2976 5504 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 88 PID 1828 wrote to memory of 4716 1828 cmd.exe 91 PID 1828 wrote to memory of 4716 1828 cmd.exe 91 PID 1828 wrote to memory of 4716 1828 cmd.exe 91 PID 4848 wrote to memory of 4932 4848 cmd.exe 96 PID 4848 wrote to memory of 4932 4848 cmd.exe 96 PID 4848 wrote to memory of 4932 4848 cmd.exe 96 PID 4932 wrote to memory of 3584 4932 oatsjdmmyrznjlmyyc.exe 99 PID 4932 wrote to memory of 3584 4932 oatsjdmmyrznjlmyyc.exe 99 PID 4932 wrote to memory of 3584 4932 oatsjdmmyrznjlmyyc.exe 99 PID 4904 wrote to memory of 3644 4904 cmd.exe 102 PID 4904 wrote to memory of 3644 4904 cmd.exe 102 PID 4904 wrote to memory of 3644 4904 cmd.exe 102 PID 2456 wrote to memory of 5056 2456 cmd.exe 104 PID 2456 wrote to memory of 5056 2456 cmd.exe 104 PID 2456 wrote to memory of 5056 2456 cmd.exe 104 PID 5056 wrote to memory of 5012 5056 yizwldkisjpbvvue.exe 108 PID 5056 wrote to memory of 5012 5056 yizwldkisjpbvvue.exe 108 PID 5056 wrote to memory of 5012 5056 yizwldkisjpbvvue.exe 108 PID 5036 wrote to memory of 5032 5036 cmd.exe 109 PID 5036 wrote to memory of 5032 5036 cmd.exe 109 PID 5036 wrote to memory of 5032 5036 cmd.exe 109 PID 3520 wrote to memory of 3724 3520 cmd.exe 110 PID 3520 wrote to memory of 3724 3520 cmd.exe 110 PID 3520 wrote to memory of 3724 3520 cmd.exe 110 PID 3724 wrote to memory of 3592 3724 bqmoifrujfqhglpehopea.exe 111 PID 3724 wrote to memory of 3592 3724 bqmoifrujfqhglpehopea.exe 111 PID 3724 wrote to memory of 3592 3724 bqmoifrujfqhglpehopea.exe 111 PID 1164 wrote to memory of 3024 1164 cmd.exe 117 PID 1164 wrote to memory of 3024 1164 cmd.exe 117 PID 1164 wrote to memory of 3024 1164 cmd.exe 117 PID 4504 wrote to memory of 5008 4504 cmd.exe 119 PID 4504 wrote to memory of 5008 4504 cmd.exe 119 PID 4504 wrote to memory of 5008 4504 cmd.exe 119 PID 5008 wrote to memory of 5236 5008 mavwplwymhrhfjmaciiw.exe 120 PID 5008 wrote to memory of 5236 5008 mavwplwymhrhfjmaciiw.exe 120 PID 5008 wrote to memory of 5236 5008 mavwplwymhrhfjmaciiw.exe 120 PID 2976 wrote to memory of 5836 2976 gncxrwpmqxm.exe 121 PID 2976 wrote to memory of 5836 2976 gncxrwpmqxm.exe 121 PID 2976 wrote to memory of 5836 2976 gncxrwpmqxm.exe 121 PID 2976 wrote to memory of 1076 2976 gncxrwpmqxm.exe 122 PID 2976 wrote to memory of 1076 2976 gncxrwpmqxm.exe 122 PID 2976 wrote to memory of 1076 2976 gncxrwpmqxm.exe 122 PID 6104 wrote to memory of 5436 6104 cmd.exe 127 PID 6104 wrote to memory of 5436 6104 cmd.exe 127 PID 6104 wrote to memory of 5436 6104 cmd.exe 127 PID 4372 wrote to memory of 5432 4372 cmd.exe 286 PID 4372 wrote to memory of 5432 4372 cmd.exe 286 PID 4372 wrote to memory of 5432 4372 cmd.exe 286 PID 3432 wrote to memory of 696 3432 cmd.exe 133 PID 3432 wrote to memory of 696 3432 cmd.exe 133 PID 3432 wrote to memory of 696 3432 cmd.exe 133 PID 2200 wrote to memory of 5780 2200 cmd.exe 134 PID 2200 wrote to memory of 5780 2200 cmd.exe 134 PID 2200 wrote to memory of 5780 2200 cmd.exe 134 PID 696 wrote to memory of 5880 696 zmggytderlujgjlyzed.exe 143 PID 696 wrote to memory of 5880 696 zmggytderlujgjlyzed.exe 143 PID 696 wrote to memory of 5880 696 zmggytderlujgjlyzed.exe 143 PID 5780 wrote to memory of 1796 5780 fqigwpxwhzgtoppaz.exe 144 PID 5780 wrote to memory of 1796 5780 fqigwpxwhzgtoppaz.exe 144 PID 5780 wrote to memory of 1796 5780 fqigwpxwhzgtoppaz.exe 144 PID 3668 wrote to memory of 1380 3668 cmd.exe 145 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bagsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bagsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gncxrwpmqxm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gncxrwpmqxm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\bagsw.exe"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5836
-
-
C:\Users\Admin\AppData\Local\Temp\bagsw.exe"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵
- Executes dropped EXE
PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵
- Executes dropped EXE
PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵
- Executes dropped EXE
PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵
- Executes dropped EXE
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Executes dropped EXE
PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵
- Executes dropped EXE
PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵
- Executes dropped EXE
PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵
- Executes dropped EXE
PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵
- Executes dropped EXE
PID:1380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:2800
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:848
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:5592
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵
- Executes dropped EXE
PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵
- Executes dropped EXE
PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵
- Executes dropped EXE
PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵
- Executes dropped EXE
PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵
- Executes dropped EXE
PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Executes dropped EXE
PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:5116
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵
- Executes dropped EXE
PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:1416
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:844 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵
- Executes dropped EXE
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:2824
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵
- Executes dropped EXE
PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:1456
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵
- Executes dropped EXE
PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵
- Executes dropped EXE
PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Executes dropped EXE
PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵
- Executes dropped EXE
PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:3196
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵
- Executes dropped EXE
PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:2720
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵
- Executes dropped EXE
PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:3668
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵
- Executes dropped EXE
PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:4436
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵
- Executes dropped EXE
PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:3628
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:3880
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵
- Executes dropped EXE
PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:1184
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵
- Executes dropped EXE
PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:4980
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵
- Executes dropped EXE
PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:924
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5964
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:1724
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:1012
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:2760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:1752
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:2936
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4560
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:4016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4040
-
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4932
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:5592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2372
-
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:5964
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:5516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3572
-
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:2660
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:1632
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5512
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:640
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6116 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4512
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:1844
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5172
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:1424
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:400 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4112
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:4828
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5384
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:4704
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:4948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5464
-
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:5880
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:1364
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3672
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4972
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5228
-
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:3628
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:5500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3056
-
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:2528
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:5488
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:5316
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:5116
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:2184
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:2884
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:3500
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:4172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:1056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3260
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4496
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:5324
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:5032
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3504
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
PID:224 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4484
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:5444
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:3236
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3144
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:6052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:5864
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:2304
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:5216
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:1184
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:60 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4756
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:4256
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:636
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:2808
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:3736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4008
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:6100
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:4724
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:4384
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:2016
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:4496
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:940
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5692
-
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:3640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:5700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:400
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:4784
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:2748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:848
-
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:5008
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:5140
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5664
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:5516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:2808
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:5668
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:5468
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:3684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:5584
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:2848
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5512
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:1212
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:1568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:4104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:4704
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:2276
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:4168
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:2740
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:4188
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:1152
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:1064
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:4568
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5336
-
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:3816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- Checks computer location settings
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:3056
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:3584
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:1080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2796
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:1232
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:3496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:696
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:5880
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5444
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:880
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:5196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:1612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4076
-
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:2628
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:3896
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:5968
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:5924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:5736
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:4512
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:1636
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:4420
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:1440
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:848
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:1416
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:2988
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:5116
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:1628
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:4892
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:6068
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:2212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:4172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:924
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:3732
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:5740
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:4948
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:3640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3968
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:5008
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:1416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5988
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:112
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:5340
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:3644
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:5028
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:1500
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:4000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5800
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:2888
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:3884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4560
-
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:1844
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:1536
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:1712
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3384
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:4936
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:1644
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:1300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:3324
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:1204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:2620
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:2976
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:3788
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:4584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5360
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:1064
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:5100
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4596
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:3884
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3572
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:3728
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:6084
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:4444
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:5500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4716
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:1624
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:5884
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:1688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4004
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:2012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:1980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:5172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:1628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:4968
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:3940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3196
-
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:3860
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:2584
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:2724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:2748
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe2⤵PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .1⤵PID:4680
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe .2⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:5960
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:3976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4860
-
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .1⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:5140
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .1⤵PID:3164
-
C:\Windows\mavwplwymhrhfjmaciiw.exemavwplwymhrhfjmaciiw.exe .2⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:4808
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:1416
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:1312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:4628
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:3556
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:2848
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:4916
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe1⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exeC:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe2⤵PID:368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .2⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe1⤵PID:6056
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe2⤵PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:400
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe1⤵PID:3728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1156
-
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .1⤵PID:5060
-
C:\Windows\oatsjdmmyrznjlmyyc.exeoatsjdmmyrznjlmyyc.exe .2⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe1⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exeC:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exeC:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .2⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:2976
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:6028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:1980
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:2000
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe .2⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exeC:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .2⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exeC:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exeC:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .2⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:4480
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe1⤵PID:2328
-
C:\Windows\yizwldkisjpbvvue.exeyizwldkisjpbvvue.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe1⤵PID:5004
-
C:\Windows\zmggytderlujgjlyzed.exezmggytderlujgjlyzed.exe2⤵PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:1260
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .1⤵PID:1828
-
C:\Windows\fqigwpxwhzgtoppaz.exefqigwpxwhzgtoppaz.exe .2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .1⤵PID:2808
-
C:\Windows\bqmoifrujfqhglpehopea.exebqmoifrujfqhglpehopea.exe .2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe1⤵PID:232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .1⤵PID:4308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe1⤵PID:5924
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5e9cb96c2e1eed16251d8e3f95a9f1069
SHA15cbcec3366ba5d21a99dddc6479b88bd435022f9
SHA256519c908446ada1b23feec312738a41cf88a70c95bb308dfb96cba408399598be
SHA512ef3a22a0749b929c505ee502cfcdf5e5becfa2e0d9d300053429f1df2ea05a559d1030b8de4e3d9494a76273d9f2588a8e6e6efa0c396002f77f108440a4169a
-
Filesize
280B
MD5d4068bdd69afba2f5cca7b695a5ed2ec
SHA145c63054bd2cb6c06a6ec185a394988ad036804e
SHA256cf7f450bacb843d641973119de08d78839dd5ecccbbe6187733461bdb63ce7ba
SHA5127b1a7d3df11cd934830ad7a4e036b85ccfd39d50ec19d487262b6a634eb1a517bae974b4d0bed638597afeaf08f313dd7d95f7211bf48d7e3d3a85fbc046f175
-
Filesize
280B
MD5b69b818fd7adc9816f03319716300e6c
SHA1e501f7113f5f075acba19eed639f97fb08e26328
SHA2567834dd62c54836039c25adc8a7be46b2f891dec00879a401b6346f51e2fe9825
SHA512630d59ffa4b0105420c28fef3ee0e84c4d9ec682f5749ca2d17f7f3e2fafbe150aa990adcdc82208b496bdcd654b69106c597139a3cf751855dde9aeb5ff5e4f
-
Filesize
280B
MD59179b61a3930f913a95daec99e2cc2a2
SHA13427d58b58268e5dae5753ccd0bca8dc550e8ef4
SHA256941a936d2d410da8e969324b7ca6e3f542ebdbfa06525737b1121af943f27bd9
SHA512113480dd718f37371dca65f6b474876fe748db13cb2324d199ded747a42d6b8546b86efb62b0a5f2710964865aad68cbee1f657502e7dd32e435093a4976d925
-
Filesize
280B
MD5952c023357eda15d8df220530d4a0015
SHA1cb10305b780afdb68f7727716a527750a163b770
SHA256b66e06e96d99a5b7c6e5470719ceed343cd4a30047e14e0383963ad63486d8be
SHA5129e831c8dbbd04ea1e03553c004ca822ceb6b4a144b78c372f14f659a76c9c598e6740fc04e5c22eab844eec0a0404d8d3af1f0b6677aa40a3dcb39ae49c646e9
-
Filesize
712KB
MD57be6738e379fe82c2d4ca6c30c9c878d
SHA13d5a55e2142795f0587857b5ef91c36b83931eb8
SHA2563d5d165d0bd13970d39f621da8744e8c93fca536ec3aeb8448c0a16c61e5d724
SHA512007b63d079f69f0ccac3c9a919aefda4ead865eeef50fa8410bd0afaf8ae686808b5126a6d4d9330b69b3c8f5364768ce62f20caf41e4cb31761c970417e74fb
-
Filesize
320KB
MD5045f9ea14722872525b47ffff80be8e5
SHA1015a67c71666b1d95dbcb25f396f969d1876e530
SHA2565b963a83a37e345fc9763ac196e7b06d4d7ab57e4731d043a0a57202da956583
SHA51254f891b83d7bd62a0101b4cd3f5382d3f5dcccc1d9c6b8875fed31b4be11e5e6421311c029a0a14823476c3b6b2f0fe01ccb9f2e876302e27d204b53f14f8318
-
Filesize
280B
MD52fa1a91f91842a6b461c0023e111e283
SHA1edcc232a0f6d1845a05248e019103f21f20ad560
SHA2568271a8825ef998bc6cdcd408b10d9dbef5eeca33afe2da05415739d30c6d3bae
SHA5123a1b09ee98eed6233f8397f920a359b2e9312b31843f330825ffa4d321dfb7a824079dd1efab067589f7fd5ef825c5b01c356936210e7a5ef6c0938b424ad385
-
Filesize
4KB
MD549dde8af2df4a2ff4f7707c171a5fae6
SHA1391f1cb6f0092311809509d0ca68d64c9452391b
SHA256ee4bc94532f1d34027bc620ebf9815ca5041fbed3873a015f1b967f97ad7e127
SHA5120c664224732fa8a5608719bee463d891e91b8ef139685c2f1d3be80874514510e3c28bc01046ba87f386501bd3e67cbff0f76bcc9b7ee0fef750ff81e36a70c0
-
Filesize
640KB
MD5c80e476ddc2450c7d1bf465e8796f0d6
SHA1c01e78777fbd41c983942ef10546613ce2537f5b
SHA256cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
SHA5126adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832