pykspa | 1245110ba2ca69fa0e47a45237891925276be818ea7e0bb1a1ed92f4a610b004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 31 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000c00000002333a-4.dat	family_pykspa
behavioral2/files/0x000b000000024061-85.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "jewxofdysfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "vmaxkxriyhvmcrns.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "jewxofdysfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "jewxofdysfxsmffoqdfa.exe"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcldltiufjs = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luapuzlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jquhkn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jquhkn.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	myjtkkdhwit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leutixtmepfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yunphzyupdwsnhisvjmib.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmaxkxriyhvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqhhxnkexjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cujhvjewnxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jewxofdysfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe

Executes dropped EXE 64 IoCs

pid	Process
5188	myjtkkdhwit.exe
3992	cujhvjewnxmevlion.exe
5864	leutixtmepfyqhfmmx.exe
4924	myjtkkdhwit.exe
4992	cujhvjewnxmevlion.exe
4832	cujhvjewnxmevlion.exe
1148	yunphzyupdwsnhisvjmib.exe
1324	myjtkkdhwit.exe
5912	cujhvjewnxmevlion.exe
1916	myjtkkdhwit.exe
1444	jewxofdysfxsmffoqdfa.exe
1532	wqhhxnkexjaunfemnza.exe
2312	myjtkkdhwit.exe
6100	jquhkn.exe
3360	jquhkn.exe
220	vmaxkxriyhvmcrns.exe
32	jewxofdysfxsmffoqdfa.exe
1020	jewxofdysfxsmffoqdfa.exe
1836	wqhhxnkexjaunfemnza.exe
4408	myjtkkdhwit.exe
5196	cujhvjewnxmevlion.exe
5192	myjtkkdhwit.exe
4496	jewxofdysfxsmffoqdfa.exe
4948	jewxofdysfxsmffoqdfa.exe
4980	yunphzyupdwsnhisvjmib.exe
4972	jewxofdysfxsmffoqdfa.exe
416	vmaxkxriyhvmcrns.exe
2288	wqhhxnkexjaunfemnza.exe
5116	wqhhxnkexjaunfemnza.exe
1308	myjtkkdhwit.exe
2856	myjtkkdhwit.exe
2676	myjtkkdhwit.exe
6140	yunphzyupdwsnhisvjmib.exe
5088	myjtkkdhwit.exe
1860	leutixtmepfyqhfmmx.exe
4028	vmaxkxriyhvmcrns.exe
5004	cujhvjewnxmevlion.exe
6108	jewxofdysfxsmffoqdfa.exe
5484	vmaxkxriyhvmcrns.exe
4552	myjtkkdhwit.exe
6064	vmaxkxriyhvmcrns.exe
4712	myjtkkdhwit.exe
5744	myjtkkdhwit.exe
1972	leutixtmepfyqhfmmx.exe
5824	wqhhxnkexjaunfemnza.exe
5092	yunphzyupdwsnhisvjmib.exe
1036	myjtkkdhwit.exe
884	myjtkkdhwit.exe
6112	jewxofdysfxsmffoqdfa.exe
4472	wqhhxnkexjaunfemnza.exe
5100	myjtkkdhwit.exe
4768	jewxofdysfxsmffoqdfa.exe
2028	wqhhxnkexjaunfemnza.exe
5260	myjtkkdhwit.exe
4120	jewxofdysfxsmffoqdfa.exe
5336	yunphzyupdwsnhisvjmib.exe
5640	wqhhxnkexjaunfemnza.exe
5572	myjtkkdhwit.exe
1380	wqhhxnkexjaunfemnza.exe
6084	jewxofdysfxsmffoqdfa.exe
5860	leutixtmepfyqhfmmx.exe
6108	myjtkkdhwit.exe
4868	vmaxkxriyhvmcrns.exe
5388	leutixtmepfyqhfmmx.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	jquhkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	jquhkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	jquhkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	jquhkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	jquhkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	jquhkn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "wqhhxnkexjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "leutixtmepfyqhfmmx.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "vmaxkxriyhvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "vmaxkxriyhvmcrns.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "leutixtmepfyqhfmmx.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "jewxofdysfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "vmaxkxriyhvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "yunphzyupdwsnhisvjmib.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "cujhvjewnxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "jewxofdysfxsmffoqdfa.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "yunphzyupdwsnhisvjmib.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe ."	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "wqhhxnkexjaunfemnza.exe"	jquhkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "jewxofdysfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "yunphzyupdwsnhisvjmib.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqhhxnkexjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leutixtmepfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "leutixtmepfyqhfmmx.exe"	jquhkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\malfpzqerxiwj = "vmaxkxriyhvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "leutixtmepfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jewxofdysfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "yunphzyupdwsnhisvjmib.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgtpbngwltgwlzu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vgofmthscf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yunphzyupdwsnhisvjmib.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "wqhhxnkexjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nakdmvlykpzm = "jewxofdysfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmtjpvisb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmaxkxriyhvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncojufxmahtiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cujhvjewnxmevlion.exe ."	myjtkkdhwit.exe

Checks whether UAC is enabled 1 TTPs 44 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	myjtkkdhwit.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	whatismyip.everdot.org
31	www.whatismyip.ca
34	whatismyipaddress.com
38	www.whatismyip.ca
39	whatismyip.everdot.org
47	www.whatismyip.ca
23	www.showmyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	jquhkn.exe
File created	C:\autorun.inf	jquhkn.exe
File opened for modification	F:\autorun.inf	jquhkn.exe
File created	F:\autorun.inf	jquhkn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	jquhkn.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	jquhkn.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	jquhkn.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe
File opened for modification	C:\Windows\SysWOW64\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\qcldltiufjsepzqqjngsbtbjykvziufpg.zdw	jquhkn.exe
File created	C:\Program Files (x86)\qcldltiufjsepzqqjngsbtbjykvziufpg.zdw	jquhkn.exe
File opened for modification	C:\Program Files (x86)\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe
File created	C:\Program Files (x86)\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	jquhkn.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	jquhkn.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	jquhkn.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	jquhkn.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cujhvjewnxmevlion.exe	jquhkn.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	jquhkn.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqhhxnkexjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jewxofdysfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	jquhkn.exe
File opened for modification	C:\Windows\qcldltiufjsepzqqjngsbtbjykvziufpg.zdw	jquhkn.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File created	C:\Windows\zayfczdeexvwwvbqyrzayf.zde	jquhkn.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmaxkxriyhvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yunphzyupdwsnhisvjmib.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmgjcvvsodxuqlnycrvsmp.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leutixtmepfyqhfmmx.exe	myjtkkdhwit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leutixtmepfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmaxkxriyhvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqhhxnkexjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cujhvjewnxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yunphzyupdwsnhisvjmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jewxofdysfxsmffoqdfa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
6100	jquhkn.exe
6100	jquhkn.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
6100	jquhkn.exe
6100	jquhkn.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6100	jquhkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 5188	2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe	88
PID 2240 wrote to memory of 5188	2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe	88
PID 2240 wrote to memory of 5188	2240	JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe	88
PID 4868 wrote to memory of 3992	4868	cmd.exe	93
PID 4868 wrote to memory of 3992	4868	cmd.exe	93
PID 4868 wrote to memory of 3992	4868	cmd.exe	93
PID 3964 wrote to memory of 5864	3964	cmd.exe	96
PID 3964 wrote to memory of 5864	3964	cmd.exe	96
PID 3964 wrote to memory of 5864	3964	cmd.exe	96
PID 5864 wrote to memory of 4924	5864	leutixtmepfyqhfmmx.exe	99
PID 5864 wrote to memory of 4924	5864	leutixtmepfyqhfmmx.exe	99
PID 5864 wrote to memory of 4924	5864	leutixtmepfyqhfmmx.exe	99
PID 4852 wrote to memory of 4992	4852	cmd.exe	102
PID 4852 wrote to memory of 4992	4852	cmd.exe	102
PID 4852 wrote to memory of 4992	4852	cmd.exe	102
PID 4856 wrote to memory of 4832	4856	cmd.exe	105
PID 4856 wrote to memory of 4832	4856	cmd.exe	105
PID 4856 wrote to memory of 4832	4856	cmd.exe	105
PID 3024 wrote to memory of 1148	3024	cmd.exe	168
PID 3024 wrote to memory of 1148	3024	cmd.exe	168
PID 3024 wrote to memory of 1148	3024	cmd.exe	168
PID 4832 wrote to memory of 1324	4832	cujhvjewnxmevlion.exe	109
PID 4832 wrote to memory of 1324	4832	cujhvjewnxmevlion.exe	109
PID 4832 wrote to memory of 1324	4832	cujhvjewnxmevlion.exe	109
PID 3008 wrote to memory of 5912	3008	cmd.exe	110
PID 3008 wrote to memory of 5912	3008	cmd.exe	110
PID 3008 wrote to memory of 5912	3008	cmd.exe	110
PID 5912 wrote to memory of 1916	5912	cujhvjewnxmevlion.exe	114
PID 5912 wrote to memory of 1916	5912	cujhvjewnxmevlion.exe	114
PID 5912 wrote to memory of 1916	5912	cujhvjewnxmevlion.exe	114
PID 3764 wrote to memory of 1444	3764	cmd.exe	118
PID 3764 wrote to memory of 1444	3764	cmd.exe	118
PID 3764 wrote to memory of 1444	3764	cmd.exe	118
PID 5608 wrote to memory of 1532	5608	cmd.exe	119
PID 5608 wrote to memory of 1532	5608	cmd.exe	119
PID 5608 wrote to memory of 1532	5608	cmd.exe	119
PID 1532 wrote to memory of 2312	1532	wqhhxnkexjaunfemnza.exe	120
PID 1532 wrote to memory of 2312	1532	wqhhxnkexjaunfemnza.exe	120
PID 1532 wrote to memory of 2312	1532	wqhhxnkexjaunfemnza.exe	120
PID 5188 wrote to memory of 6100	5188	myjtkkdhwit.exe	121
PID 5188 wrote to memory of 6100	5188	myjtkkdhwit.exe	121
PID 5188 wrote to memory of 6100	5188	myjtkkdhwit.exe	121
PID 5188 wrote to memory of 3360	5188	myjtkkdhwit.exe	122
PID 5188 wrote to memory of 3360	5188	myjtkkdhwit.exe	122
PID 5188 wrote to memory of 3360	5188	myjtkkdhwit.exe	122
PID 4404 wrote to memory of 220	4404	cmd.exe	127
PID 4404 wrote to memory of 220	4404	cmd.exe	127
PID 4404 wrote to memory of 220	4404	cmd.exe	127
PID 5824 wrote to memory of 32	5824	cmd.exe	273
PID 5824 wrote to memory of 32	5824	cmd.exe	273
PID 5824 wrote to memory of 32	5824	cmd.exe	273
PID 3692 wrote to memory of 1020	3692	cmd.exe	133
PID 3692 wrote to memory of 1020	3692	cmd.exe	133
PID 3692 wrote to memory of 1020	3692	cmd.exe	133
PID 3912 wrote to memory of 1836	3912	cmd.exe	139
PID 3912 wrote to memory of 1836	3912	cmd.exe	139
PID 3912 wrote to memory of 1836	3912	cmd.exe	139
PID 1020 wrote to memory of 4408	1020	jewxofdysfxsmffoqdfa.exe	145
PID 1020 wrote to memory of 4408	1020	jewxofdysfxsmffoqdfa.exe	145
PID 1020 wrote to memory of 4408	1020	jewxofdysfxsmffoqdfa.exe	145
PID 5152 wrote to memory of 5196	5152	cmd.exe	277
PID 5152 wrote to memory of 5196	5152	cmd.exe	277
PID 5152 wrote to memory of 5196	5152	cmd.exe	277
PID 1836 wrote to memory of 5192	1836	wqhhxnkexjaunfemnza.exe	281

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jquhkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jquhkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
  "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8a01bcb09b024896cdaf5a880dd8a094.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\jquhkn.exe
    "C:\Users\Admin\AppData\Local\Temp\jquhkn.exe" "-C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:6100
- - C:\Users\Admin\AppData\Local\Temp\jquhkn.exe
    "C:\Users\Admin\AppData\Local\Temp\jquhkn.exe" "-C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5864
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5608
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5824
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:2028
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  - Executes dropped EXE
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:2700
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:2596
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  - Executes dropped EXE
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Executes dropped EXE
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  - Executes dropped EXE
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:4852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:5956
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:2348
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Executes dropped EXE
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:1404
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:2620
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    - Executes dropped EXE
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:4200
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:1324
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Executes dropped EXE
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:3244
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4508
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    - Executes dropped EXE
    PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:4972
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:1532
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:2860
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Executes dropped EXE
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:3632
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4668
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3208
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:4336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6064
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:6056
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:6088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5744
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:4616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5196
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:5192
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:3628
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:756
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:5216
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1380
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:1540
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:6088
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4836
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:3964
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:4712
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4580
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:2540
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:5664
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:884
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:5140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4588
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:1340
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:5880
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:4728
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:4740
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:5260
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:1812
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:3200
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2596
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4992
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:4464
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:5924
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:3460
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5556
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:1860
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4536
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:4860
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:5804
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:5972
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:2368
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3532
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4852
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:3452
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:1516
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4568
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3992
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:6052
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:1412
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:3888
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:5540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:4972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4980
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:5760
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:1256
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:2784
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:5916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5900
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:4880
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:5896
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:4716
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:5132
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:4036
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:1528
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:3424
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:1404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:3108
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:5332
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:5792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4944
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4584
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:2008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:5376
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:1420
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:1644
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:4428
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:4504

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:2112
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:2780
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:628
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:4056
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5940
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:1184
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:2632
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:4724
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3452
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:1388
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:2312
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:3368
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:5320
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:6088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:228
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:2764
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:1308
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:3196
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:4012
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:5556
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:3380
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:224
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2300
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5132
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:3444
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:1572
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4028
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:5020
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:456
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4716
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:6128
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  - Checks computer location settings
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:396
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:2272
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5952
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:5152

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:2312
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:3468
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:5972
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:3568
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:6072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5884
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2620
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:3188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4336
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:5136
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4972
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:2248
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1448
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4580
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:4896
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:3572
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4120
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4492
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4632
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:400
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:4372
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4732
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:5604
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5136
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5676
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:4532
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5576
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:5864
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:5860
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:5684
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3908
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:1084
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5248
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4040
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:3852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3068
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:6060
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:3628
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:4044
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:6032
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:3124
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:1972
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:1720
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:2748
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:2956
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3808
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:2356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:3400
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:1440
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:2148
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:2444
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:2056
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5484
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4044
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:2020
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:3188
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:5756
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3820
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:756
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4812
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:3924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:992
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:5748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:4380
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe
1⤵
PID:1396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2860
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe
  2⤵
  PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:5596
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:5124
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:5584
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5316
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:4868
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:412
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:1964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5336
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:5536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4748
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4472
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:5496
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:3956
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:3400
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe
1⤵
PID:4616
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:4068
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
1⤵
PID:4376
- C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  C:\Users\Admin\AppData\Local\Temp\yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:1280
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4536
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:224
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe .
1⤵
PID:1292
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yunphzyupdwsnhisvjmib.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe .
  2⤵
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe
1⤵
PID:2992
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:884
- C:\Windows\vmaxkxriyhvmcrns.exe
  vmaxkxriyhvmcrns.exe .
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmaxkxriyhvmcrns.exe*."
    3⤵
    PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5464
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:4648
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5728
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leutixtmepfyqhfmmx.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3888
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqhhxnkexjaunfemnza.exe .
1⤵
PID:4716
- C:\Windows\wqhhxnkexjaunfemnza.exe
  wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:3400
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe .
1⤵
PID:5860
- C:\Windows\cujhvjewnxmevlion.exe
  cujhvjewnxmevlion.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmaxkxriyhvmcrns.exe
  2⤵
  PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cujhvjewnxmevlion.exe*."
    3⤵
    PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yunphzyupdwsnhisvjmib.exe
1⤵
PID:4828
- C:\Windows\yunphzyupdwsnhisvjmib.exe
  yunphzyupdwsnhisvjmib.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe
1⤵
PID:1932
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jewxofdysfxsmffoqdfa.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jewxofdysfxsmffoqdfa.exe .
1⤵
PID:1388
- C:\Windows\jewxofdysfxsmffoqdfa.exe
  jewxofdysfxsmffoqdfa.exe .
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jewxofdysfxsmffoqdfa.exe*."
    3⤵
    PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe .
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqhhxnkexjaunfemnza.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:6116
- C:\Windows\leutixtmepfyqhfmmx.exe
  leutixtmepfyqhfmmx.exe .
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leutixtmepfyqhfmmx.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leutixtmepfyqhfmmx.exe .
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cujhvjewnxmevlion.exe
1⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqhhxnkexjaunfemnza.exe
1⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmaxkxriyhvmcrns.exe .
1⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe .
1⤵
PID:2004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cujhvjewnxmevlion.exe
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry