pykspa | a8b7dd0803b23353719c57aa2a57b6124e5aceb16da43b803b146f4e28a1f921

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0008000000024212-4.dat	family_pykspa
behavioral2/files/0x00320000000240e0-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "wqndtlicrjaunfemnza.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "cupdrhcuhxmevlion.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leapevrkypfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "leapevrkypfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "cupdrhcuhxmevlion.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leapevrkypfyqhfmmx.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cmzfltgqv = "leapevrkypfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqadgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
81	3552	Process not Found
83	3552	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	myjtkkdhwit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	leapevrkypfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	jectkdbwmfxsmffoqdfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	cupdrhcuhxmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vmgtgvpgshvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wqndtlicrjaunfemnza.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yutldxwsjdwsnhisvjmih.exe

Executes dropped EXE 64 IoCs

pid	Process
2304	myjtkkdhwit.exe
4948	jectkdbwmfxsmffoqdfa.exe
5772	leapevrkypfyqhfmmx.exe
5980	myjtkkdhwit.exe
4456	vmgtgvpgshvmcrns.exe
920	cupdrhcuhxmevlion.exe
1380	cupdrhcuhxmevlion.exe
2536	myjtkkdhwit.exe
1712	cupdrhcuhxmevlion.exe
2476	myjtkkdhwit.exe
2260	wqndtlicrjaunfemnza.exe
876	cupdrhcuhxmevlion.exe
5092	myjtkkdhwit.exe
5304	jqadgl.exe
4144	jqadgl.exe
3216	vmgtgvpgshvmcrns.exe
2948	vmgtgvpgshvmcrns.exe
5532	wqndtlicrjaunfemnza.exe
2748	wqndtlicrjaunfemnza.exe
2528	vmgtgvpgshvmcrns.exe
3148	myjtkkdhwit.exe
4064	leapevrkypfyqhfmmx.exe
2184	myjtkkdhwit.exe
4304	yutldxwsjdwsnhisvjmih.exe
3416	yutldxwsjdwsnhisvjmih.exe
1648	yutldxwsjdwsnhisvjmih.exe
6128	myjtkkdhwit.exe
2176	leapevrkypfyqhfmmx.exe
2056	jectkdbwmfxsmffoqdfa.exe
4812	myjtkkdhwit.exe
4940	myjtkkdhwit.exe
4928	wqndtlicrjaunfemnza.exe
5772	wqndtlicrjaunfemnza.exe
2428	leapevrkypfyqhfmmx.exe
5060	vmgtgvpgshvmcrns.exe
556	vmgtgvpgshvmcrns.exe
1980	myjtkkdhwit.exe
396	myjtkkdhwit.exe
2556	myjtkkdhwit.exe
3680	wqndtlicrjaunfemnza.exe
1460	wqndtlicrjaunfemnza.exe
5496	myjtkkdhwit.exe
3320	yutldxwsjdwsnhisvjmih.exe
5640	yutldxwsjdwsnhisvjmih.exe
4996	leapevrkypfyqhfmmx.exe
3260	myjtkkdhwit.exe
3460	wqndtlicrjaunfemnza.exe
1428	myjtkkdhwit.exe
2408	cupdrhcuhxmevlion.exe
1360	leapevrkypfyqhfmmx.exe
2948	myjtkkdhwit.exe
2148	yutldxwsjdwsnhisvjmih.exe
3288	vmgtgvpgshvmcrns.exe
1524	leapevrkypfyqhfmmx.exe
5188	myjtkkdhwit.exe
5352	wqndtlicrjaunfemnza.exe
2740	wqndtlicrjaunfemnza.exe
4400	jectkdbwmfxsmffoqdfa.exe
1648	wqndtlicrjaunfemnza.exe
4968	vmgtgvpgshvmcrns.exe
2856	myjtkkdhwit.exe
4612	myjtkkdhwit.exe
740	vmgtgvpgshvmcrns.exe
4656	cupdrhcuhxmevlion.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	jqadgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	jqadgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	jqadgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	jqadgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	jqadgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	jqadgl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leapevrkypfyqhfmmx.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "cupdrhcuhxmevlion.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "yutldxwsjdwsnhisvjmih.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "leapevrkypfyqhfmmx.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "vmgtgvpgshvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "leapevrkypfyqhfmmx.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "yutldxwsjdwsnhisvjmih.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leapevrkypfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\leapevrkypfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgtgvpgshvmcrns.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgtgvpgshvmcrns.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "yutldxwsjdwsnhisvjmih.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "leapevrkypfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "jectkdbwmfxsmffoqdfa.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "yutldxwsjdwsnhisvjmih.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe"	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "vmgtgvpgshvmcrns.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "leapevrkypfyqhfmmx.exe"	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "jectkdbwmfxsmffoqdfa.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "yutldxwsjdwsnhisvjmih.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "vmgtgvpgshvmcrns.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "wqndtlicrjaunfemnza.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "yutldxwsjdwsnhisvjmih.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "yutldxwsjdwsnhisvjmih.exe"	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "vmgtgvpgshvmcrns.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgubirfqwf = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\luglqxjs = "wqndtlicrjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "yutldxwsjdwsnhisvjmih.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "jectkdbwmfxsmffoqdfa.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "cupdrhcuhxmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\marblxoclxiwj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqndtlicrjaunfemnza.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cupdrhcuhxmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yutldxwsjdwsnhisvjmih.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\naqzitjwepzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jectkdbwmfxsmffoqdfa.exe ."	jqadgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrzhrgszjs = "wqndtlicrjaunfemnza.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weptxdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgtgvpgshvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weptxdo = "yutldxwsjdwsnhisvjmih.exe"	myjtkkdhwit.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jqadgl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jqadgl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jqadgl.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	whatismyip.everdot.org
30	whatismyipaddress.com
34	whatismyip.everdot.org
35	www.showmyipaddress.com
52	whatismyip.everdot.org
56	www.whatismyip.ca
58	whatismyip.everdot.org
77	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	jqadgl.exe
File created	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\wqndtlicrjaunfemnza.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	jqadgl.exe
File created	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	jqadgl.exe
File created	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	jqadgl.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	jqadgl.exe
File opened for modification	C:\Windows\SysWOW64\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\pmmfyttqidxuqlnycrvssl.exe	jqadgl.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\marblxoclxiwjvoqlrmarblxoclxiwjvoql.mar	jqadgl.exe
File created	C:\Program Files (x86)\marblxoclxiwjvoqlrmarblxoclxiwjvoql.mar	jqadgl.exe
File opened for modification	C:\Program Files (x86)\dgmlklrusttwyzhyidnqwvuv.ecd	jqadgl.exe
File created	C:\Program Files (x86)\dgmlklrusttwyzhyidnqwvuv.ecd	jqadgl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	jqadgl.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	jqadgl.exe
File opened for modification	C:\Windows\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\dgmlklrusttwyzhyidnqwvuv.ecd	jqadgl.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	jqadgl.exe
File created	C:\Windows\marblxoclxiwjvoqlrmarblxoclxiwjvoql.mar	jqadgl.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\cupdrhcuhxmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\leapevrkypfyqhfmmx.exe	jqadgl.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yutldxwsjdwsnhisvjmih.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\wqndtlicrjaunfemnza.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\pmmfyttqidxuqlnycrvssl.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\jectkdbwmfxsmffoqdfa.exe	jqadgl.exe
File opened for modification	C:\Windows\vmgtgvpgshvmcrns.exe	myjtkkdhwit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqadgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myjtkkdhwit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jectkdbwmfxsmffoqdfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutldxwsjdwsnhisvjmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leapevrkypfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmgtgvpgshvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqndtlicrjaunfemnza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cupdrhcuhxmevlion.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
5304	jqadgl.exe
5304	jqadgl.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
5304	jqadgl.exe
5304	jqadgl.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5304	jqadgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2304	4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe	92
PID 4512 wrote to memory of 2304	4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe	92
PID 4512 wrote to memory of 2304	4512	JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe	92
PID 4912 wrote to memory of 4948	4912	cmd.exe	95
PID 4912 wrote to memory of 4948	4912	cmd.exe	95
PID 4912 wrote to memory of 4948	4912	cmd.exe	95
PID 4932 wrote to memory of 5772	4932	cmd.exe	98
PID 4932 wrote to memory of 5772	4932	cmd.exe	98
PID 4932 wrote to memory of 5772	4932	cmd.exe	98
PID 5772 wrote to memory of 5980	5772	leapevrkypfyqhfmmx.exe	101
PID 5772 wrote to memory of 5980	5772	leapevrkypfyqhfmmx.exe	101
PID 5772 wrote to memory of 5980	5772	leapevrkypfyqhfmmx.exe	101
PID 4592 wrote to memory of 4456	4592	cmd.exe	102
PID 4592 wrote to memory of 4456	4592	cmd.exe	102
PID 4592 wrote to memory of 4456	4592	cmd.exe	102
PID 1248 wrote to memory of 920	1248	cmd.exe	107
PID 1248 wrote to memory of 920	1248	cmd.exe	107
PID 1248 wrote to memory of 920	1248	cmd.exe	107
PID 3336 wrote to memory of 1380	3336	cmd.exe	110
PID 3336 wrote to memory of 1380	3336	cmd.exe	110
PID 3336 wrote to memory of 1380	3336	cmd.exe	110
PID 920 wrote to memory of 2536	920	cupdrhcuhxmevlion.exe	111
PID 920 wrote to memory of 2536	920	cupdrhcuhxmevlion.exe	111
PID 920 wrote to memory of 2536	920	cupdrhcuhxmevlion.exe	111
PID 1692 wrote to memory of 1712	1692	cmd.exe	112
PID 1692 wrote to memory of 1712	1692	cmd.exe	112
PID 1692 wrote to memory of 1712	1692	cmd.exe	112
PID 1712 wrote to memory of 2476	1712	cupdrhcuhxmevlion.exe	114
PID 1712 wrote to memory of 2476	1712	cupdrhcuhxmevlion.exe	114
PID 1712 wrote to memory of 2476	1712	cupdrhcuhxmevlion.exe	114
PID 1172 wrote to memory of 2260	1172	cmd.exe	118
PID 1172 wrote to memory of 2260	1172	cmd.exe	118
PID 1172 wrote to memory of 2260	1172	cmd.exe	118
PID 5148 wrote to memory of 876	5148	cmd.exe	119
PID 5148 wrote to memory of 876	5148	cmd.exe	119
PID 5148 wrote to memory of 876	5148	cmd.exe	119
PID 876 wrote to memory of 5092	876	cupdrhcuhxmevlion.exe	120
PID 876 wrote to memory of 5092	876	cupdrhcuhxmevlion.exe	120
PID 876 wrote to memory of 5092	876	cupdrhcuhxmevlion.exe	120
PID 2304 wrote to memory of 5304	2304	myjtkkdhwit.exe	121
PID 2304 wrote to memory of 5304	2304	myjtkkdhwit.exe	121
PID 2304 wrote to memory of 5304	2304	myjtkkdhwit.exe	121
PID 2304 wrote to memory of 4144	2304	myjtkkdhwit.exe	122
PID 2304 wrote to memory of 4144	2304	myjtkkdhwit.exe	122
PID 2304 wrote to memory of 4144	2304	myjtkkdhwit.exe	122
PID 5844 wrote to memory of 3216	5844	cmd.exe	127
PID 5844 wrote to memory of 3216	5844	cmd.exe	127
PID 5844 wrote to memory of 3216	5844	cmd.exe	127
PID 2384 wrote to memory of 2948	2384	cmd.exe	208
PID 2384 wrote to memory of 2948	2384	cmd.exe	208
PID 2384 wrote to memory of 2948	2384	cmd.exe	208
PID 2092 wrote to memory of 5532	2092	cmd.exe	133
PID 2092 wrote to memory of 5532	2092	cmd.exe	133
PID 2092 wrote to memory of 5532	2092	cmd.exe	133
PID 2152 wrote to memory of 2748	2152	cmd.exe	138
PID 2152 wrote to memory of 2748	2152	cmd.exe	138
PID 2152 wrote to memory of 2748	2152	cmd.exe	138
PID 1940 wrote to memory of 2528	1940	cmd.exe	141
PID 1940 wrote to memory of 2528	1940	cmd.exe	141
PID 1940 wrote to memory of 2528	1940	cmd.exe	141
PID 5532 wrote to memory of 3148	5532	wqndtlicrjaunfemnza.exe	142
PID 5532 wrote to memory of 3148	5532	wqndtlicrjaunfemnza.exe	142
PID 5532 wrote to memory of 3148	5532	wqndtlicrjaunfemnza.exe	142
PID 4536 wrote to memory of 4064	4536	cmd.exe	149

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jqadgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jqadgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jqadgl.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
  "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8a37689689c2c8072ce71dc9eaee9278.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\jqadgl.exe
    "C:\Users\Admin\AppData\Local\Temp\jqadgl.exe" "-C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\jqadgl.exe
    "C:\Users\Admin\AppData\Local\Temp\jqadgl.exe" "-C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  - Executes dropped EXE
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  - Executes dropped EXE
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5148
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2500
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  - Executes dropped EXE
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4040
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    - Executes dropped EXE
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  - Executes dropped EXE
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:3344
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:2892
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:1272
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  - Executes dropped EXE
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5672
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    - Executes dropped EXE
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5476
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  - Executes dropped EXE
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:2184
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:5188

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:3652
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:5984
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:1492
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  - Executes dropped EXE
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4200
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:4720
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Executes dropped EXE
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:2396
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:4680
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:5700
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:4536
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4040
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1592
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:3720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5496
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:1192
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:6140
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:5828
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:6048
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:1832
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:2852
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:1132
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2032
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1680
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:5840
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1556

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:5200
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:5872
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:2892
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:3304
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:2612
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:3476
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1584
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:3968
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:4720
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:4044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:2996
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:1472
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:2220
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:3148
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:840
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2348
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:4908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:388
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:2428
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4032
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:5980
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5428
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:1296
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:5500
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:3856
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:5516
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1480
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5672
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4652
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:3460
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:2220
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:4892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4312
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:3720
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:5676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:624
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:3288
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:1840
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:5852
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:5428
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:4976
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:2476
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:3212
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5752
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:5200
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6068
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:5704
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:6048
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5528
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:1304
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:1616
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:452
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1840
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:5256
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5640
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1164

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:4416
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:5516
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:2576
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:4380
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:2580
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4732
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:4028
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:2308
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:624
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  - Checks computer location settings
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:5024
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1052
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:3592
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4568
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1204
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5780
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:4464
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:2052
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2336
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:4444
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:5168
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:4580
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:3116
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:5428
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:4300
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2484
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:5984
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:1088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5920
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5212
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5444
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:412
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:1844
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:5664
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:2876
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:1792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:1380
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:3860
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:1712
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:3488
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5864
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:2988
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1356
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2772

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5808
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:5508
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5956
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:2036
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:1956
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1360
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5988
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:2144
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:6080
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5700
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:6096
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:5816
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5152
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:920
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:3300
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:3624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3540
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:6000
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:976
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:1956
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:2260
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:4892
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:1352
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:4744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2484
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4312
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:3776
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:4400
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:1948
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5780
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:2704
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:3304
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:5480
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4596
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:3048
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:2260
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4192
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5140
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4500
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3136
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:3676
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:2812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3184
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:5416
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3944
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:1684
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:6112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:2372
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:4456
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:5452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:2576
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:4676
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:3620
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:5840
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:4460
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:624
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:4812
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:1692
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:1956
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:2852
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:5824
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2328
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5276
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:5212
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5876
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:1980
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:4312
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4444
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe .
  2⤵
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:3164
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3188
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:5820
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:3772
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:5492
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6068
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:5264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:2852
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:872
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5472
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:3740
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe .
1⤵
PID:4480
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe .
  2⤵
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\vmgtgvpgshvmcrns.exe*."
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:6032
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5476
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:3312
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:692
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:980
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:4200
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe .
1⤵
PID:4364
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe .
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\leapevrkypfyqhfmmx.exe .
  2⤵
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:4024
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:5408
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:1400
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:5704
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe
  C:\Users\Admin\AppData\Local\Temp\wqndtlicrjaunfemnza.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wqndtlicrjaunfemnza.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:2300
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:4044
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe .
  2⤵
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jectkdbwmfxsmffoqdfa.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jectkdbwmfxsmffoqdfa.exe
1⤵
PID:5500
- C:\Windows\jectkdbwmfxsmffoqdfa.exe
  jectkdbwmfxsmffoqdfa.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:5092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5964
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4312
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\vmgtgvpgshvmcrns.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:4560
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:4440
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe .
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:5820
- C:\Windows\cupdrhcuhxmevlion.exe
  cupdrhcuhxmevlion.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:4732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5072
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\cupdrhcuhxmevlion.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
1⤵
PID:5940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe
  C:\Users\Admin\AppData\Local\Temp\yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vmgtgvpgshvmcrns.exe
1⤵
PID:2272
- C:\Windows\vmgtgvpgshvmcrns.exe
  vmgtgvpgshvmcrns.exe
  2⤵
  PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqndtlicrjaunfemnza.exe
1⤵
PID:4152
- C:\Windows\wqndtlicrjaunfemnza.exe
  wqndtlicrjaunfemnza.exe
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:3720
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\leapevrkypfyqhfmmx.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe .
1⤵
PID:684
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe .
  2⤵
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yutldxwsjdwsnhisvjmih.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe
1⤵
PID:3856
- C:\Windows\leapevrkypfyqhfmmx.exe
  leapevrkypfyqhfmmx.exe
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yutldxwsjdwsnhisvjmih.exe
1⤵
PID:2680
- C:\Windows\yutldxwsjdwsnhisvjmih.exe
  yutldxwsjdwsnhisvjmih.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe
1⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cupdrhcuhxmevlion.exe .
1⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cupdrhcuhxmevlion.exe
1⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c leapevrkypfyqhfmmx.exe .
1⤵
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jectkdbwmfxsmffoqdfa.exe .
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry