Analysis
-
max time kernel
29s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2025, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
-
Size
588KB
-
MD5
ce23cbd71cc033cecb1958623ee620c1
-
SHA1
ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00
-
SHA256
270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3
-
SHA512
9a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73
-
SSDEEP
12288:CYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:CY2w+tOwuMCeEOPp83
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wcycexrfgmi.exe -
Pykspa family
-
UAC bypass 3 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0024000000022f12-4.dat family_pykspa behavioral1/files/0x000700000002428b-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 43 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "vysmcfxukdgwcqcfjhjmg.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "sqfufdqithfqrahf.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "gibujlcynfhwbozbebce.exe" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "tumestjesjkycoyzbxx.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "sqfufdqithfqrahf.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "tumestjesjkycoyzbxx.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zqygkbhsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kepahbkyfpjq = "vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation wcycexrfgmi.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation sqfufdqithfqrahf.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation gibujlcynfhwbozbebce.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation zyoeqpdwixwikucbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation vysmcfxukdgwcqcfjhjmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iizqddsmzppcfqzzav.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation tumestjesjkycoyzbxx.exe -
Executes dropped EXE 64 IoCs
pid Process 4620 wcycexrfgmi.exe 4768 tumestjesjkycoyzbxx.exe 4844 gibujlcynfhwbozbebce.exe 4220 wcycexrfgmi.exe 4968 gibujlcynfhwbozbebce.exe 5840 iizqddsmzppcfqzzav.exe 4476 zyoeqpdwixwikucbb.exe 4260 iizqddsmzppcfqzzav.exe 1784 wcycexrfgmi.exe 1520 wcycexrfgmi.exe 1640 tumestjesjkycoyzbxx.exe 3020 tumestjesjkycoyzbxx.exe 1568 wcycexrfgmi.exe 2288 guzeft.exe 4224 guzeft.exe 4160 zyoeqpdwixwikucbb.exe 5228 gibujlcynfhwbozbebce.exe 5400 vysmcfxukdgwcqcfjhjmg.exe 4392 tumestjesjkycoyzbxx.exe 548 wcycexrfgmi.exe 5652 gibujlcynfhwbozbebce.exe 4608 wcycexrfgmi.exe 5208 tumestjesjkycoyzbxx.exe 5860 sqfufdqithfqrahf.exe 4768 vysmcfxukdgwcqcfjhjmg.exe 4812 vysmcfxukdgwcqcfjhjmg.exe 4832 zyoeqpdwixwikucbb.exe 4708 vysmcfxukdgwcqcfjhjmg.exe 4868 wcycexrfgmi.exe 6120 wcycexrfgmi.exe 1448 iizqddsmzppcfqzzav.exe 4944 wcycexrfgmi.exe 4796 wcycexrfgmi.exe 536 sqfufdqithfqrahf.exe 2332 gibujlcynfhwbozbebce.exe 388 sqfufdqithfqrahf.exe 5212 gibujlcynfhwbozbebce.exe 1440 wcycexrfgmi.exe 6016 gibujlcynfhwbozbebce.exe 3200 wcycexrfgmi.exe 1776 sqfufdqithfqrahf.exe 2740 wcycexrfgmi.exe 3144 gibujlcynfhwbozbebce.exe 3604 tumestjesjkycoyzbxx.exe 4436 tumestjesjkycoyzbxx.exe 4412 wcycexrfgmi.exe 3580 sqfufdqithfqrahf.exe 4172 wcycexrfgmi.exe 2880 iizqddsmzppcfqzzav.exe 540 gibujlcynfhwbozbebce.exe 2744 wcycexrfgmi.exe 1100 sqfufdqithfqrahf.exe 4084 tumestjesjkycoyzbxx.exe 5324 sqfufdqithfqrahf.exe 4632 iizqddsmzppcfqzzav.exe 3232 tumestjesjkycoyzbxx.exe 4728 wcycexrfgmi.exe 1724 wcycexrfgmi.exe 6076 gibujlcynfhwbozbebce.exe 3136 gibujlcynfhwbozbebce.exe 5308 zyoeqpdwixwikucbb.exe 4076 sqfufdqithfqrahf.exe 1456 zyoeqpdwixwikucbb.exe 1272 zyoeqpdwixwikucbb.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager guzeft.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys guzeft.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc guzeft.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power guzeft.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys guzeft.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc guzeft.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "vysmcfxukdgwcqcfjhjmg.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "vysmcfxukdgwcqcfjhjmg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "tumestjesjkycoyzbxx.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nkymwtfwgtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tumestjesjkycoyzbxx.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vysmcfxukdgwcqcfjhjmg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nkymwtfwgtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe ." guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "tumestjesjkycoyzbxx.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nkymwtfwgtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe" guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tumestjesjkycoyzbxx.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nkymwtfwgtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "iizqddsmzppcfqzzav.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "zyoeqpdwixwikucbb.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "vysmcfxukdgwcqcfjhjmg.exe ." guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "tumestjesjkycoyzbxx.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "iizqddsmzppcfqzzav.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "gibujlcynfhwbozbebce.exe ." guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "tumestjesjkycoyzbxx.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "sqfufdqithfqrahf.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "tumestjesjkycoyzbxx.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tumestjesjkycoyzbxx.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "tumestjesjkycoyzbxx.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "vysmcfxukdgwcqcfjhjmg.exe" guzeft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tumestjesjkycoyzbxx.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "vysmcfxukdgwcqcfjhjmg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "zyoeqpdwixwikucbb.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vysmcfxukdgwcqcfjhjmg.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "gibujlcynfhwbozbebce.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "vysmcfxukdgwcqcfjhjmg.exe ." guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "vysmcfxukdgwcqcfjhjmg.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "tumestjesjkycoyzbxx.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "iizqddsmzppcfqzzav.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nkymwtfwgtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kgtgplwmvhdmls = "tumestjesjkycoyzbxx.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gibujlcynfhwbozbebce.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "gibujlcynfhwbozbebce.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqfufdqithfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vysmcfxukdgwcqcfjhjmg.exe" guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqfufdqithfqrahf.exe" guzeft.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "sqfufdqithfqrahf.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ngqagzhuajc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe ." wcycexrfgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sktchzgsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iizqddsmzppcfqzzav.exe" wcycexrfgmi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeqckfpemxsay = "zyoeqpdwixwikucbb.exe" wcycexrfgmi.exe -
Checks whether UAC is enabled 1 TTPs 26 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guzeft.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" guzeft.exe -
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 whatismyip.everdot.org 34 whatismyipaddress.com 41 www.whatismyip.ca 54 www.whatismyip.ca 26 whatismyip.everdot.org 33 www.whatismyip.ca 40 whatismyip.everdot.org 43 whatismyip.everdot.org 27 www.whatismyip.ca 28 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe guzeft.exe File opened for modification C:\Windows\SysWOW64\jeqckfpemxsayeidzpjeqckfpemxsayeidz.jeq guzeft.exe File opened for modification C:\Windows\SysWOW64\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File created C:\Windows\SysWOW64\aklmjtswttdaniblwbkuvwtd.gdd guzeft.exe File created C:\Windows\SysWOW64\jeqckfpemxsayeidzpjeqckfpemxsayeidz.jeq guzeft.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\SysWOW64\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\aklmjtswttdaniblwbkuvwtd.gdd guzeft.exe File created C:\Program Files (x86)\aklmjtswttdaniblwbkuvwtd.gdd guzeft.exe File opened for modification C:\Program Files (x86)\jeqckfpemxsayeidzpjeqckfpemxsayeidz.jeq guzeft.exe File created C:\Program Files (x86)\jeqckfpemxsayeidzpjeqckfpemxsayeidz.jeq guzeft.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe guzeft.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe guzeft.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe guzeft.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe guzeft.exe File created C:\Windows\aklmjtswttdaniblwbkuvwtd.gdd guzeft.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe guzeft.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe guzeft.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe guzeft.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe guzeft.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\tumestjesjkycoyzbxx.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe guzeft.exe File opened for modification C:\Windows\aklmjtswttdaniblwbkuvwtd.gdd guzeft.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe guzeft.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\iizqddsmzppcfqzzav.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe guzeft.exe File opened for modification C:\Windows\vysmcfxukdgwcqcfjhjmg.exe guzeft.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\zyoeqpdwixwikucbb.exe wcycexrfgmi.exe File opened for modification C:\Windows\gibujlcynfhwbozbebce.exe wcycexrfgmi.exe File opened for modification C:\Windows\sqfufdqithfqrahf.exe wcycexrfgmi.exe File opened for modification C:\Windows\mqlgxbusjdhyfuhlqpswrm.exe wcycexrfgmi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcycexrfgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iizqddsmzppcfqzzav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyoeqpdwixwikucbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guzeft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vysmcfxukdgwcqcfjhjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibujlcynfhwbozbebce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqfufdqithfqrahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tumestjesjkycoyzbxx.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2288 guzeft.exe 2288 guzeft.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2288 guzeft.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5252 wrote to memory of 4620 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 90 PID 5252 wrote to memory of 4620 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 90 PID 5252 wrote to memory of 4620 5252 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 90 PID 5968 wrote to memory of 4768 5968 cmd.exe 93 PID 5968 wrote to memory of 4768 5968 cmd.exe 93 PID 5968 wrote to memory of 4768 5968 cmd.exe 93 PID 4660 wrote to memory of 4844 4660 cmd.exe 96 PID 4660 wrote to memory of 4844 4660 cmd.exe 96 PID 4660 wrote to memory of 4844 4660 cmd.exe 96 PID 4844 wrote to memory of 4220 4844 gibujlcynfhwbozbebce.exe 99 PID 4844 wrote to memory of 4220 4844 gibujlcynfhwbozbebce.exe 99 PID 4844 wrote to memory of 4220 4844 gibujlcynfhwbozbebce.exe 99 PID 688 wrote to memory of 4968 688 cmd.exe 101 PID 688 wrote to memory of 4968 688 cmd.exe 101 PID 688 wrote to memory of 4968 688 cmd.exe 101 PID 1688 wrote to memory of 5840 1688 cmd.exe 105 PID 1688 wrote to memory of 5840 1688 cmd.exe 105 PID 1688 wrote to memory of 5840 1688 cmd.exe 105 PID 3912 wrote to memory of 4476 3912 cmd.exe 108 PID 3912 wrote to memory of 4476 3912 cmd.exe 108 PID 3912 wrote to memory of 4476 3912 cmd.exe 108 PID 6004 wrote to memory of 4260 6004 cmd.exe 109 PID 6004 wrote to memory of 4260 6004 cmd.exe 109 PID 6004 wrote to memory of 4260 6004 cmd.exe 109 PID 5840 wrote to memory of 1784 5840 iizqddsmzppcfqzzav.exe 110 PID 5840 wrote to memory of 1784 5840 iizqddsmzppcfqzzav.exe 110 PID 5840 wrote to memory of 1784 5840 iizqddsmzppcfqzzav.exe 110 PID 4260 wrote to memory of 1520 4260 iizqddsmzppcfqzzav.exe 115 PID 4260 wrote to memory of 1520 4260 iizqddsmzppcfqzzav.exe 115 PID 4260 wrote to memory of 1520 4260 iizqddsmzppcfqzzav.exe 115 PID 3116 wrote to memory of 1640 3116 cmd.exe 116 PID 3116 wrote to memory of 1640 3116 cmd.exe 116 PID 3116 wrote to memory of 1640 3116 cmd.exe 116 PID 2556 wrote to memory of 3020 2556 cmd.exe 258 PID 2556 wrote to memory of 3020 2556 cmd.exe 258 PID 2556 wrote to memory of 3020 2556 cmd.exe 258 PID 3020 wrote to memory of 1568 3020 tumestjesjkycoyzbxx.exe 118 PID 3020 wrote to memory of 1568 3020 tumestjesjkycoyzbxx.exe 118 PID 3020 wrote to memory of 1568 3020 tumestjesjkycoyzbxx.exe 118 PID 4620 wrote to memory of 2288 4620 wcycexrfgmi.exe 121 PID 4620 wrote to memory of 2288 4620 wcycexrfgmi.exe 121 PID 4620 wrote to memory of 2288 4620 wcycexrfgmi.exe 121 PID 4620 wrote to memory of 4224 4620 wcycexrfgmi.exe 122 PID 4620 wrote to memory of 4224 4620 wcycexrfgmi.exe 122 PID 4620 wrote to memory of 4224 4620 wcycexrfgmi.exe 122 PID 4080 wrote to memory of 4160 4080 cmd.exe 195 PID 4080 wrote to memory of 4160 4080 cmd.exe 195 PID 4080 wrote to memory of 4160 4080 cmd.exe 195 PID 4316 wrote to memory of 5228 4316 cmd.exe 133 PID 4316 wrote to memory of 5228 4316 cmd.exe 133 PID 4316 wrote to memory of 5228 4316 cmd.exe 133 PID 5428 wrote to memory of 5400 5428 cmd.exe 134 PID 5428 wrote to memory of 5400 5428 cmd.exe 134 PID 5428 wrote to memory of 5400 5428 cmd.exe 134 PID 3252 wrote to memory of 4392 3252 cmd.exe 139 PID 3252 wrote to memory of 4392 3252 cmd.exe 139 PID 3252 wrote to memory of 4392 3252 cmd.exe 139 PID 5400 wrote to memory of 548 5400 vysmcfxukdgwcqcfjhjmg.exe 140 PID 5400 wrote to memory of 548 5400 vysmcfxukdgwcqcfjhjmg.exe 140 PID 5400 wrote to memory of 548 5400 vysmcfxukdgwcqcfjhjmg.exe 140 PID 2280 wrote to memory of 5652 2280 cmd.exe 145 PID 2280 wrote to memory of 5652 2280 cmd.exe 145 PID 2280 wrote to memory of 5652 2280 cmd.exe 145 PID 4392 wrote to memory of 4608 4392 tumestjesjkycoyzbxx.exe 150 -
System policy modification 1 TTPs 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guzeft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" guzeft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wcycexrfgmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wcycexrfgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guzeft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_ce23cbd71cc033cecb1958623ee620c1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\guzeft.exe"C:\Users\Admin\AppData\Local\Temp\guzeft.exe" "-C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\guzeft.exe"C:\Users\Admin\AppData\Local\Temp\guzeft.exe" "-C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵
- Executes dropped EXE
PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:1784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵
- Executes dropped EXE
PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5428 -
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵
- Executes dropped EXE
PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵
- Executes dropped EXE
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:2308
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4292
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2548
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵
- Executes dropped EXE
PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵
- Executes dropped EXE
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:388 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵
- Executes dropped EXE
PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵
- Executes dropped EXE
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:3156
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5008
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵
- Executes dropped EXE
PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:3064
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:6080
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵
- Executes dropped EXE
PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:1304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵
- Executes dropped EXE
PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵
- Executes dropped EXE
PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:5676
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵
- Executes dropped EXE
PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4116
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵
- Executes dropped EXE
PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4744
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵
- Executes dropped EXE
PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:832
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5260
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵
- Executes dropped EXE
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4152
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5368
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:5224
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵
- Executes dropped EXE
PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:2236
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:4648
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵
- Executes dropped EXE
PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:4884
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:1088
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:632 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4516
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:5596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3784
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3180
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:5324
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:5300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:4296
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:752
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:2084
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:4884
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:1184
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5480
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:388 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:3240
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3992
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:740
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4860
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4856
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:5056
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4812
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:1908
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:2556
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:6024
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:3912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:2348
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:388
-
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4520
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:4608
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:2260
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:4876
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2160
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:1868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4660
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:316
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:1852
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:2600
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5056
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:2384
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:2612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:3140
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:5296
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5920
-
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵
- Checks computer location settings
PID:5140 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:1068
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:2900
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:3860
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:2404
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:2432
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5836
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4352
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:4548
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4916
-
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4048
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:2880
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:2408
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:6112
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:668
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:2952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:3100
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4600
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2292
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:5124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5212
-
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:2404
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:1448
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:2880
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:5396
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2952
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:5192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:380
-
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:1088
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:6020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4516
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:3224
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:2452
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4504
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3992
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5124
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:4964
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5452
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:3096
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:4676
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:3720
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5632
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:3200
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:744
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:4564
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4356
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:4768
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4708
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:536
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:5260
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:3804
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:1108
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:804
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4148
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:2724
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:4896
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:5092
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:2880
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:3572
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:5724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:3248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:2900
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5988
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4872
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5280
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4348
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3564
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5324
-
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:464
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:3612
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:536
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3152
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:2324
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:2164
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:1504
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:5032
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:5100
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5752
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:2596
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:2776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:3540
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5948
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:1852
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:4772
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2880
-
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:4888
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4188
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5388
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:2540
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5092
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:2236
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:1796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:4148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3136
-
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:2708
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:4656
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:6020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3940
-
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:6056
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:4520
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:5204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1108
-
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:4844
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5484
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:5916
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4036
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2452
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:2984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:5104
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:4656
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3720
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:4316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3244
-
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:2900
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:5924
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:4188
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:4256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:5320
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:5988
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:5412
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:3864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:1960
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:4272
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5012
-
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5124
-
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe1⤵PID:3032
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2176
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:1312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:1128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:4660
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:6136
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:2900
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:2332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1272
-
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe .2⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\iizqddsmzppcfqzzav.exe*."3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe1⤵PID:1984
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:3376
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:3572
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2292
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe2⤵PID:1312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5740
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:3132
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gibujlcynfhwbozbebce.exe*."3⤵PID:3248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe1⤵PID:3724
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:1772
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe .2⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\sqfufdqithfqrahf.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gibujlcynfhwbozbebce.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:4540
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:4256
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:2452
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5408
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:3032
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqfufdqithfqrahf.exe .1⤵PID:4612
-
C:\Windows\sqfufdqithfqrahf.exesqfufdqithfqrahf.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\sqfufdqithfqrahf.exe*."3⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:1960
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyoeqpdwixwikucbb.exe .1⤵PID:5484
-
C:\Windows\zyoeqpdwixwikucbb.exezyoeqpdwixwikucbb.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zyoeqpdwixwikucbb.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe1⤵PID:4840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exeC:\Users\Admin\AppData\Local\Temp\sqfufdqithfqrahf.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exeC:\Users\Admin\AppData\Local\Temp\tumestjesjkycoyzbxx.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\tumestjesjkycoyzbxx.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exeC:\Users\Admin\AppData\Local\Temp\gibujlcynfhwbozbebce.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:5948
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iizqddsmzppcfqzzav.exe .1⤵PID:5440
-
C:\Windows\iizqddsmzppcfqzzav.exeiizqddsmzppcfqzzav.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\iizqddsmzppcfqzzav.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5144
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe .1⤵PID:5652
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\tumestjesjkycoyzbxx.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exeC:\Users\Admin\AppData\Local\Temp\iizqddsmzppcfqzzav.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exeC:\Users\Admin\AppData\Local\Temp\vysmcfxukdgwcqcfjhjmg.exe .2⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vysmcfxukdgwcqcfjhjmg.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe2⤵PID:5900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exeC:\Users\Admin\AppData\Local\Temp\zyoeqpdwixwikucbb.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zyoeqpdwixwikucbb.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:4348
-
C:\Windows\tumestjesjkycoyzbxx.exetumestjesjkycoyzbxx.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe .1⤵PID:5704
-
C:\Windows\gibujlcynfhwbozbebce.exegibujlcynfhwbozbebce.exe .2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe1⤵PID:5268
-
C:\Windows\vysmcfxukdgwcqcfjhjmg.exevysmcfxukdgwcqcfjhjmg.exe2⤵PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tumestjesjkycoyzbxx.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vysmcfxukdgwcqcfjhjmg.exe .1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gibujlcynfhwbozbebce.exe1⤵PID:2408
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD53377e28116b916bb0b16e9b88b2d4945
SHA11d02673e852e0ca4de5b24940f48ad98ebf8feb7
SHA256afac44bca365fbabcf5c278d1d601903d747c2442320c51a39df36f31c016753
SHA512b342be43666b3a956a7182dc83a0203a59b3a0e8eb89988a1cc17b46b71570a59c0ef1c268fed80cf00debf2c70d0a22c71ed9c168566c9e9f73cef436b51dd5
-
Filesize
280B
MD512e6683b9600220e1fef4da860b312c2
SHA1087dd4ccb19860bf2784d12f07dc689573ce4faa
SHA2565db9f1e64ea5b0cc0cb48f8ff6fc5055371eb37be8dd91df20d1d93bf559afc0
SHA5127654e393cd9ec0e96fe06bf3d24e608c34fc5b9c9b026d8b4adeff748e31a01cf52fa50be0ef8d006f1952777e781e42799278e5cee536a7da040e3524fa69bd
-
Filesize
280B
MD550d2ca215e01bf1fc69a00ce938582e9
SHA172469642e9108edd46d376b16b4d03201a4773fd
SHA256a4f89f0464da7b91006c0a72dd1e85b0874d7d0474dc36476568aa4905dad982
SHA512e152d1c8a49bb53f6e1d76128d05e58fd69d89e26cfc037fa89a014ae0b0887e9d4cd9c52c4175096c13f02b1268d3cf383b2b51f8981a75a6fcd8968236ff1e
-
Filesize
280B
MD578094d8015bb767eacd1a4e60c958c39
SHA19638d727aa32353645a476f75ea414e521bb91cd
SHA2566ef2cb7ec5fc495f0320103dea273bcd9bb0da91f8a7d106c9e51a506dadd6da
SHA512c375bb1edcd21f94a27001969f672eea3d995b8865467561fe5af87c2e11db408e415c7bc5e8309bd837c527debb20a95c799659da971eff77bf5db3feb412ec
-
Filesize
280B
MD5c6bbe17d281d2dac3857ed7a7afaaa7b
SHA13d50c323132e3ad7dcc7692b25c201addfa32724
SHA256debf1ad135d10f24f0a3539ddff9692172bc0a1ca74dce730a7fc6caaf4eacfb
SHA5124a8a8a44539fb1a171b7ad66fbc9db289f6cf833d8f936a08e7d521bf63123e21fd2e389b071edf3c68c4048d968a93c370928887eb91c8941483b011c3ec773
-
Filesize
280B
MD5646af252def0f57fe9212517b1b0b99c
SHA1770c9c42b21a597b25e4e4a885d14521be33e35e
SHA2567816367de34a3e4a0ef1664bcbc8613799508d8bcca725941e044af0fe5514d5
SHA5126921a869ad29e663f3c7bc3af129c855779d5e49d6f5950bc5c1711f8618292e0b1553263427cbb2789622880a2548cccf3126a9d005086fa036954e0e74294c
-
Filesize
712KB
MD533829d3d9ee385ba4bf68d9ce274d21e
SHA11f42504d6faa4bea0c3578d87056a41e5cdbdaab
SHA256421d7485e802e8d0aa0b4dbfd6e3bd1fe5c0ba71269c27126973f023c301831f
SHA512f46dd4caa8cf4c495d47607bd5b7fed9030b5a5d850b18d7e48952059f2dc8e45bb09b8e9c5b8972f16be059de6af7bd7e1eeb42e25b8b07dba89ed058cd743e
-
Filesize
320KB
MD5167cddd47a64501723cbc117ce32cd90
SHA1a51a0724191828707bfd327619163f656ee8329f
SHA2561d3c34fdd554999a2b7384b4d6931af491e729171980f73c2d887ef25dc921d2
SHA51261a8bada69102101dcb64d8fa9f243c8244764f351fae02b497b8496505ce86dff169451affe04a0b016ef6f839c26d69515065784def8fe9d1dd5d7462f6e22
-
Filesize
280B
MD5568bbe6ee0ffca779412392c147b926c
SHA1ab93edc24c731e87b73161a00497efc8dfb01013
SHA256ec00ecc5231d3ab9cb713144875b8dc2dcb0910bb5d2575b3b5349c73f2e64d4
SHA512b7e2c8a9f2cc53ec228434cfa38018388d913fa6368d0e02000a22017cd5a01ef1f6e48d105d4e8c556242b6ac3dfb44bdc095c99fecf995270f7e3610033ec8
-
Filesize
4KB
MD5bb5aa1bd67038e985b808fc7249e9198
SHA1a08b21123a41ef12a7d0113b85fe05726c5b1e5e
SHA25675dd0518eaaedf7a98d69f6c70d99249f38f5677a87d54ae3ce5013fb7b8dcf9
SHA512e364de7934e3cae91f47d8ba52a762eb2d1353eaeabf275b69e65a9383485bb0f8a9824ab7a7eb820ee8e1aa13562048dcc7e0997f1f42a1e9646b62e9ef60d3
-
Filesize
588KB
MD5ce23cbd71cc033cecb1958623ee620c1
SHA1ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00
SHA256270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3
SHA5129a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73