Analysis
-
max time kernel
77s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
-
Size
472KB
-
MD5
c940916a51510ded99612bd93114de0d
-
SHA1
af052d166386189ab6c14e8e49831b6459c42b5f
-
SHA256
23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
-
SHA512
7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1
-
SSDEEP
6144:CIX6L0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUIoHb:CIX6gtvm1De5YlOx6lzBH46U5Hb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x01ad0000000221a8-4.dat family_pykspa behavioral1/files/0x0007000000024300-104.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "bizwhxrawiatrxfu.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe -
Disables RegEdit via registry modification 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation JaffaCakes118_c940916a51510ded99612bd93114de0d.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation eqmoezymnebzcnauiqsea.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation iqigsjeolyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation cmggunkwvkfbclwoagg.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ratsfxtecqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation pavwlfdqqgczblxqdklw.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bizwhxrawiatrxfu.exe -
Executes dropped EXE 64 IoCs
pid Process 640 rfyzcmqobpi.exe 3424 eqmoezymnebzcnauiqsea.exe 4560 bizwhxrawiatrxfu.exe 2724 rfyzcmqobpi.exe 1448 ratsfxtecqkffnxoze.exe 4908 ratsfxtecqkffnxoze.exe 4344 bizwhxrawiatrxfu.exe 1316 rfyzcmqobpi.exe 3532 ratsfxtecqkffnxoze.exe 3080 rfyzcmqobpi.exe 4244 eqmoezymnebzcnauiqsea.exe 5788 bizwhxrawiatrxfu.exe 4168 rfyzcmqobpi.exe 4036 eagss.exe 4000 eagss.exe 816 bizwhxrawiatrxfu.exe 1108 cmggunkwvkfbclwoagg.exe 3748 ratsfxtecqkffnxoze.exe 1452 ratsfxtecqkffnxoze.exe 748 ratsfxtecqkffnxoze.exe 2928 rfyzcmqobpi.exe 3812 rfyzcmqobpi.exe 2924 bizwhxrawiatrxfu.exe 228 cmggunkwvkfbclwoagg.exe 4776 ratsfxtecqkffnxoze.exe 540 eqmoezymnebzcnauiqsea.exe 3296 iqigsjeolyrlkraqa.exe 5036 rfyzcmqobpi.exe 4476 bizwhxrawiatrxfu.exe 2204 rfyzcmqobpi.exe 4884 rfyzcmqobpi.exe 4896 cmggunkwvkfbclwoagg.exe 3148 rfyzcmqobpi.exe 5764 pavwlfdqqgczblxqdklw.exe 4736 pavwlfdqqgczblxqdklw.exe 4864 eqmoezymnebzcnauiqsea.exe 1004 pavwlfdqqgczblxqdklw.exe 1668 rfyzcmqobpi.exe 4360 rfyzcmqobpi.exe 764 bizwhxrawiatrxfu.exe 4208 ratsfxtecqkffnxoze.exe 2004 rfyzcmqobpi.exe 4956 pavwlfdqqgczblxqdklw.exe 1876 eqmoezymnebzcnauiqsea.exe 4228 iqigsjeolyrlkraqa.exe 644 rfyzcmqobpi.exe 768 pavwlfdqqgczblxqdklw.exe 5232 rfyzcmqobpi.exe 2452 pavwlfdqqgczblxqdklw.exe 4204 iqigsjeolyrlkraqa.exe 4532 rfyzcmqobpi.exe 3308 eqmoezymnebzcnauiqsea.exe 5940 pavwlfdqqgczblxqdklw.exe 3248 cmggunkwvkfbclwoagg.exe 1132 cmggunkwvkfbclwoagg.exe 3320 rfyzcmqobpi.exe 4640 cmggunkwvkfbclwoagg.exe 64 ratsfxtecqkffnxoze.exe 5468 cmggunkwvkfbclwoagg.exe 468 rfyzcmqobpi.exe 5976 iqigsjeolyrlkraqa.exe 4104 iqigsjeolyrlkraqa.exe 5780 cmggunkwvkfbclwoagg.exe 2676 rfyzcmqobpi.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager eagss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys eagss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc eagss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power eagss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys eagss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc eagss.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "bizwhxrawiatrxfu.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "pavwlfdqqgczblxqdklw.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "bizwhxrawiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "bizwhxrawiatrxfu.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "ratsfxtecqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "iqigsjeolyrlkraqa.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "cmggunkwvkfbclwoagg.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "ratsfxtecqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "eqmoezymnebzcnauiqsea.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "bizwhxrawiatrxfu.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "ratsfxtecqkffnxoze.exe" eagss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "cmggunkwvkfbclwoagg.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "iqigsjeolyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "eqmoezymnebzcnauiqsea.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "bizwhxrawiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." eagss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "iqigsjeolyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "bizwhxrawiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "eqmoezymnebzcnauiqsea.exe ." rfyzcmqobpi.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eagss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eagss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rfyzcmqobpi.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 whatismyip.everdot.org 32 www.whatismyip.ca 38 www.whatismyip.ca 13 whatismyip.everdot.org 17 www.showmyipaddress.com 21 www.whatismyip.ca 23 whatismyipaddress.com 34 whatismyip.everdot.org 42 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf eagss.exe File created C:\autorun.inf eagss.exe File opened for modification F:\autorun.inf eagss.exe File created F:\autorun.inf eagss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe eagss.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe eagss.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe eagss.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe eagss.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File created C:\Windows\SysWOW64\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis eagss.exe File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe eagss.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis eagss.exe File created C:\Program Files (x86)\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis eagss.exe File opened for modification C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf eagss.exe File created C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf eagss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe eagss.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe eagss.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe eagss.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe eagss.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe eagss.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe rfyzcmqobpi.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe eagss.exe File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe rfyzcmqobpi.exe File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe rfyzcmqobpi.exe File opened for modification C:\Windows\vqvgfjroyyelxrnqnepkpazdli.syf eagss.exe File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bizwhxrawiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe rfyzcmqobpi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eagss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfyzcmqobpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratsfxtecqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqmoezymnebzcnauiqsea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmggunkwvkfbclwoagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizwhxrawiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqigsjeolyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pavwlfdqqgczblxqdklw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eagss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 4000 eagss.exe 4000 eagss.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 4000 eagss.exe 4000 eagss.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4000 eagss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1228 wrote to memory of 640 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 90 PID 1228 wrote to memory of 640 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 90 PID 1228 wrote to memory of 640 1228 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 90 PID 2688 wrote to memory of 3424 2688 cmd.exe 93 PID 2688 wrote to memory of 3424 2688 cmd.exe 93 PID 2688 wrote to memory of 3424 2688 cmd.exe 93 PID 4748 wrote to memory of 4560 4748 cmd.exe 96 PID 4748 wrote to memory of 4560 4748 cmd.exe 96 PID 4748 wrote to memory of 4560 4748 cmd.exe 96 PID 4560 wrote to memory of 2724 4560 bizwhxrawiatrxfu.exe 100 PID 4560 wrote to memory of 2724 4560 bizwhxrawiatrxfu.exe 100 PID 4560 wrote to memory of 2724 4560 bizwhxrawiatrxfu.exe 100 PID 4788 wrote to memory of 1448 4788 cmd.exe 103 PID 4788 wrote to memory of 1448 4788 cmd.exe 103 PID 4788 wrote to memory of 1448 4788 cmd.exe 103 PID 5944 wrote to memory of 4908 5944 cmd.exe 107 PID 5944 wrote to memory of 4908 5944 cmd.exe 107 PID 5944 wrote to memory of 4908 5944 cmd.exe 107 PID 4712 wrote to memory of 4344 4712 cmd.exe 110 PID 4712 wrote to memory of 4344 4712 cmd.exe 110 PID 4712 wrote to memory of 4344 4712 cmd.exe 110 PID 4908 wrote to memory of 1316 4908 ratsfxtecqkffnxoze.exe 111 PID 4908 wrote to memory of 1316 4908 ratsfxtecqkffnxoze.exe 111 PID 4908 wrote to memory of 1316 4908 ratsfxtecqkffnxoze.exe 111 PID 5008 wrote to memory of 3532 5008 cmd.exe 112 PID 5008 wrote to memory of 3532 5008 cmd.exe 112 PID 5008 wrote to memory of 3532 5008 cmd.exe 112 PID 3532 wrote to memory of 3080 3532 ratsfxtecqkffnxoze.exe 115 PID 3532 wrote to memory of 3080 3532 ratsfxtecqkffnxoze.exe 115 PID 3532 wrote to memory of 3080 3532 ratsfxtecqkffnxoze.exe 115 PID 4700 wrote to memory of 4244 4700 cmd.exe 118 PID 4700 wrote to memory of 4244 4700 cmd.exe 118 PID 4700 wrote to memory of 4244 4700 cmd.exe 118 PID 2664 wrote to memory of 5788 2664 cmd.exe 119 PID 2664 wrote to memory of 5788 2664 cmd.exe 119 PID 2664 wrote to memory of 5788 2664 cmd.exe 119 PID 5788 wrote to memory of 4168 5788 bizwhxrawiatrxfu.exe 120 PID 5788 wrote to memory of 4168 5788 bizwhxrawiatrxfu.exe 120 PID 5788 wrote to memory of 4168 5788 bizwhxrawiatrxfu.exe 120 PID 640 wrote to memory of 4036 640 rfyzcmqobpi.exe 121 PID 640 wrote to memory of 4036 640 rfyzcmqobpi.exe 121 PID 640 wrote to memory of 4036 640 rfyzcmqobpi.exe 121 PID 640 wrote to memory of 4000 640 rfyzcmqobpi.exe 122 PID 640 wrote to memory of 4000 640 rfyzcmqobpi.exe 122 PID 640 wrote to memory of 4000 640 rfyzcmqobpi.exe 122 PID 1588 wrote to memory of 816 1588 cmd.exe 128 PID 1588 wrote to memory of 816 1588 cmd.exe 128 PID 1588 wrote to memory of 816 1588 cmd.exe 128 PID 5268 wrote to memory of 1108 5268 cmd.exe 129 PID 5268 wrote to memory of 1108 5268 cmd.exe 129 PID 5268 wrote to memory of 1108 5268 cmd.exe 129 PID 2712 wrote to memory of 3748 2712 cmd.exe 138 PID 2712 wrote to memory of 3748 2712 cmd.exe 138 PID 2712 wrote to memory of 3748 2712 cmd.exe 138 PID 1132 wrote to memory of 1452 1132 cmd.exe 139 PID 1132 wrote to memory of 1452 1132 cmd.exe 139 PID 1132 wrote to memory of 1452 1132 cmd.exe 139 PID 5924 wrote to memory of 748 5924 cmd.exe 148 PID 5924 wrote to memory of 748 5924 cmd.exe 148 PID 5924 wrote to memory of 748 5924 cmd.exe 148 PID 3748 wrote to memory of 2928 3748 ratsfxtecqkffnxoze.exe 150 PID 3748 wrote to memory of 2928 3748 ratsfxtecqkffnxoze.exe 150 PID 3748 wrote to memory of 2928 3748 ratsfxtecqkffnxoze.exe 150 PID 1452 wrote to memory of 3812 1452 ratsfxtecqkffnxoze.exe 309 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" eagss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" eagss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:640 -
C:\Users\Admin\AppData\Local\Temp\eagss.exe"C:\Users\Admin\AppData\Local\Temp\eagss.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4036
-
-
C:\Users\Admin\AppData\Local\Temp\eagss.exe"C:\Users\Admin\AppData\Local\Temp\eagss.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵
- Executes dropped EXE
PID:2724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5944 -
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:1316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵
- Executes dropped EXE
PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵
- Executes dropped EXE
PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5268 -
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵
- Executes dropped EXE
PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵
- Executes dropped EXE
PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:4484
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵
- Executes dropped EXE
PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:4716
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:2872
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Executes dropped EXE
PID:228 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵
- Executes dropped EXE
PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵
- Executes dropped EXE
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵
- Executes dropped EXE
PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵
- Executes dropped EXE
PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵
- Executes dropped EXE
PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:3656
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵
- Executes dropped EXE
PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:3952
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:1384
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:2948
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵
- Executes dropped EXE
PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵
- Executes dropped EXE
PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:5884
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵
- Executes dropped EXE
PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:1500
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:2988
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵
- Executes dropped EXE
PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:3692
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:4776
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵
- Executes dropped EXE
PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:2044
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:2924
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3028
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵
- Executes dropped EXE
PID:5780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:4904
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵
- Executes dropped EXE
PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:1832
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:1564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:984 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:4716
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:540
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:6104
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:2244
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:1524
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:1736
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:1240
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4236
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:408
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:4556
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:2672
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3688
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:1692
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:3624
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5364
-
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:2944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:2868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:60
-
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:5316
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:228
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:2988
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:4048
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3988
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:5636
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:5968
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:1004
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:1668
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:3668
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:784
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:6008
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:1444
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:3024
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:1304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4588
-
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:5748
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:312
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:3188
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:5380
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:1240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4092
-
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:5172
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:1864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4652
-
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:2368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1820
-
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:3252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6104
-
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:5560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5940
-
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:4700
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:5580
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:1112
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:3104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:4828
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:4332
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3776
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:5364
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:3656
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:2944
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:5964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5496
-
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:1260
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:1688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5832
-
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:560
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:3296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:5128
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:1444
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:1548
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:4988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:3304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:3976
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:4340
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:3772
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:4332
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:2956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4768
-
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:3120
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:1448
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:5668
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:4516
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:3028
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:388
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:3672
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:2356
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:5368
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:3976
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:4792
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:4836
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:2188
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:1516
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:1520
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:3296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:1780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:5032
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:2924
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:4676
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3020
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5700 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:2196
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5368
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:2204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2244
-
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:6104
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:1528
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:5008
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:1692
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:5144
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:6056 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5960
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
PID:64 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4212
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:2840
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:1500
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5740
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:1240
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:4828
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:904
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:1988
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:3728
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵
- Checks computer location settings
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:4912
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3108
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:2128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵
- Checks computer location settings
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:2080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3296
-
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:2880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵
- Checks computer location settings
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:4120
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:2476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5180
-
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:4248
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:1784
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:4784
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:2356
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:1880
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:4868
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."3⤵PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5864
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:5888
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1988
-
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:1832
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:4232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:2044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6016
-
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:64
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1816
-
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:1108
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:4212
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:5324
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:5924
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:1376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4624
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5024
-
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:4580
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:5328
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:5248
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:5944
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:4536
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5236
-
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:1628
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:3088
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:1636
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:4876
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:4048
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:5800
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:856
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:5984
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:3564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:4788
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4780
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:5548
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:1876
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:3708
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:3812
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:516
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:5644
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:4224
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:4212
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:1600
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:1884
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe1⤵PID:2648
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe2⤵PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .1⤵PID:4420
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe .2⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:768
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4788
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .1⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .2⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:656
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:4692
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .1⤵PID:5556
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:3536
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:4840
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:4568
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4804
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:3084
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:3784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .1⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .2⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe1⤵PID:4444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1636
-
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .1⤵PID:1760
-
C:\Windows\iqigsjeolyrlkraqa.exeiqigsjeolyrlkraqa.exe .2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:1856
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:5740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3612
-
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe2⤵PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe1⤵PID:4788
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:4868
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\vbntq.exe"C:\Users\Admin\AppData\Local\Temp\vbntq.exe" "-c:\windows\pavwlfdqqgczblxqdklw.exe"4⤵PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\vbntq.exe"C:\Users\Admin\AppData\Local\Temp\vbntq.exe" "-c:\windows\pavwlfdqqgczblxqdklw.exe"4⤵PID:5224
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:6036
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .1⤵PID:5208
-
C:\Windows\pavwlfdqqgczblxqdklw.exepavwlfdqqgczblxqdklw.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."3⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exeC:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe2⤵PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exeC:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gbcxjicxolnxjcpwojkf.exe1⤵PID:516
-
C:\Windows\gbcxjicxolnxjcpwojkf.exegbcxjicxolnxjcpwojkf.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .2⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."3⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tnnhsqjdtpqzkcoulff.exe .1⤵PID:3012
-
C:\Windows\tnnhsqjdtpqzkcoulff.exetnnhsqjdtpqzkcoulff.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tnnhsqjdtpqzkcoulff.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibatdaslavvdnepukd.exe1⤵PID:1152
-
C:\Windows\ibatdaslavvdnepukd.exeibatdaslavvdnepukd.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrphqmdvjdcjsiswl.exe .1⤵PID:4728
-
C:\Windows\zrphqmdvjdcjsiswl.exezrphqmdvjdcjsiswl.exe .2⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zrphqmdvjdcjsiswl.exe*."3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exeC:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exe .1⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exeC:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gbcxjicxolnxjcpwojkf.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe1⤵PID:396
-
C:\Windows\ratsfxtecqkffnxoze.exeratsfxtecqkffnxoze.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exeC:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .1⤵PID:3684
-
C:\Windows\eqmoezymnebzcnauiqsea.exeeqmoezymnebzcnauiqsea.exe .2⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe .1⤵PID:812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exeC:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zrphqmdvjdcjsiswl.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe1⤵PID:5004
-
C:\Windows\cmggunkwvkfbclwoagg.execmggunkwvkfbclwoagg.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .1⤵PID:5184
-
C:\Windows\bizwhxrawiatrxfu.exebizwhxrawiatrxfu.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exeC:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe1⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .1⤵PID:3688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe1⤵PID:3136
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5b028d212afc1c0a9690c6a48af88b4b2
SHA1be1ef5990e27fb01245574cac9c5a41092f06f20
SHA25616d8f4ba768420392104f1043849bb8c97ea9ff0ef31b40958f5e42e856d2638
SHA5122a460970cf823ca78e41d3bef3bf62f371612db16f2696ad4c4e79ce196b163c54cfb2595b655d8d4fb51048a864dd12ceee09792ea37ba086be99e837289177
-
Filesize
280B
MD56df0f220f456da45d078c684c63e0146
SHA195f866ac61eb4e1615cc2369ae01a054116a2497
SHA256741a06a19a3dd79a7cd6f28cc47987baa20a503f38cbb6bdd2b8ff772b6fa421
SHA51227f82e9895ff755b7bb0aeecdc4a88815805ca2d564bbb1aa789dbe45ead9e04d4d13b7181f4c54afc1a79c402cd5369ed2236a0cf63dfeb23aac5cbed2bf568
-
Filesize
280B
MD53607d6485f63900bfd637386ff98f4cf
SHA1056ba64b2c5cae8aa6da6d36490c6fc0d57fcd98
SHA2563e1295d9dc17f0d68fc8b05e9ca665ee69a7cb5e31f9f18ce1183044e28df7ae
SHA51250bebdbf5622d4d54e0bfb9c60c959d37759510539db6c407c47d3951dd8b8bdbd2853e04e699fdfa3b9a0c46eb0331fffec69acf0866b7abc083738311d50ea
-
Filesize
280B
MD5eb3af33817085cb45de2ba3a685b18ab
SHA198249d1967ff5bc2722de34015a1ddd0b68ba38a
SHA2563689fce0a915a79827fffe1ed623a836d778961367e76518b36938158790d34e
SHA51289e12d3e64e7e33f9505710d8d1723d8c68612ba94b3c046a643b5bb780b4be349f9406dfe972487550f073f66093d4026dbac5a013e250a115d0db88f1f5206
-
Filesize
280B
MD5d0f0a8050e35f519fc9ced9b1bfebbeb
SHA1987c117febbcec143934d21377e2280b234b4a9e
SHA256a7ced65a86116a9b4c4fcf58f98d29960d9dec64b34c4c6990acc030b25df59e
SHA5125f0a1f77532b5ee4fa8d7cffdb01dd8d84d30e6dee5a06738bb0d5eeff919f4240e0003f2cbeac06e021c3e08d74a492adfd2d902ed5afbcbff174fa12299c0c
-
Filesize
280B
MD565869c87082cc9f4baf16d80635a69d3
SHA13ccf4edbe503790f72375ef24e6fa35499c61f15
SHA256e792200a6aae3f1a8644a53018111a7b02de077d0cf2262ed8cbbd718069eb5a
SHA512ff10db0248f8a01f4b963b498a40d736f06fc034d09f1d7064b8416f2f46b8d273e4c26de921e0248aa9dfc0f9b421bd66816f7fac9e98019109ebafc13a9528
-
Filesize
280B
MD539834596afec1ec0d634bb330712eb35
SHA145eded30ead4ccebb42071bbf1e3eccc414a007e
SHA256553f9bfdfb17866aa3d1818cb686e41912e85a2e7a41cfb9609fdfcc779edbc7
SHA51230fbf56ee02b1a05bb30b3bf8a54c3da072317a5b7336c84af07b5a579c847d97311a283d225bdd4e8d1dd75670e52044fa97b4d9d5f71ab86e10912fdbe3adb
-
Filesize
704KB
MD5f95c4c576d7f3d3c881ded9f712b453e
SHA15afc0e7f4853675af33293c058a1c2bff316326d
SHA25646c667d846467a239e6a101a0e6ebe5e45ae426302ed943941693cf46b3fe269
SHA51203c26b1c4586a8650945b606df9cd0d443c4a75a34e1579e99a5d18a800777685c2df47e0603e6cd241303a12ededac891d68af970b121769edd28451fd65466
-
Filesize
320KB
MD58bd4091e56ecf7598b0e0b150f3a70df
SHA1d6cee503765ae819eea451a68555d1c9e5c71143
SHA2567e1216c3e258bca31f9c2b696e8dd4625e0e9de1a5890a45b22682bdf19f9f95
SHA5121c9f00aea43924dcba226487b6533edf0e6e0bbbb88d290c2e601085a7646d333bb43dfe57af28658f539941792376306d4fa2823acbdd902f2d4dacf2d68f39
-
Filesize
280B
MD519ab9b05c6208bce17119bc16c7992c8
SHA11ec18173b00abaa7dd27ff7b3644fc7cd5ac386b
SHA256e04133cf34c0008154790cbd32ea32f6c76cc1ca708a53dce7c1bc2d9848627c
SHA5120f221ebfacb020b505dc08b5cc0b581ce8e0282ee17b84cbbb033e0f45692280f21cfe77830ab12ad5c3e5e50425668343f4aee3fcec8386a02e4cf9456f788e
-
Filesize
4KB
MD55f7a7797a4f4dcf54c9a600af8b42c7a
SHA162bb2c5bfa15fd713568703db59b94df4ec9ee5d
SHA2563618e36236c5a3e286d0a6ceed9dbd34f3e5c4e22057082ed273d3173811f536
SHA5121135ece30c94be98e459ec109c45f215ed24e66eddfc663dedc00f6e1154704ab63bede6dd3318dc64ed1f6a51069fc989635c7a06d3712adc6df3a864bf8dae
-
Filesize
472KB
MD5c940916a51510ded99612bd93114de0d
SHA1af052d166386189ab6c14e8e49831b6459c42b5f
SHA25623500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
SHA5127981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1