pykspa | fab208d4fde711f95e4da7fdfe3d7855f866bd2f367570aac74320952291faa1

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 42 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00050000000227cb-4.dat	family_pykspa
behavioral2/files/0x000700000002423d-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "zlftgdsfyntityee.exe"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "apmdttlbxpyqemvygla.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "apmdttlbxpyqemvygla.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apmdttlbxpyqemvygla.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apmdttlbxpyqemvygla.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "pdzpedujevduhowyfj.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "apmdttlbxpyqemvygla.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adotxlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zftbizipcl = "ctsldfzrpjuoeozeovmle.exe"	cdmpr.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
56	1368	Process not Found
60	1368	Process not Found
62	1368	Process not Found
65	1368	Process not Found
77	1368	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ndbtklevslvodmwajpfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	gtodrpftndkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zlftgdsfyntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apmdttlbxpyqemvygla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ctsldfzrpjuoeozeovmle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	pdzpedujevduhowyfj.exe

Executes dropped EXE 64 IoCs

pid	Process
6112	uvfllmhhefp.exe
4652	zlftgdsfyntityee.exe
1920	ndbtklevslvodmwajpfd.exe
4872	uvfllmhhefp.exe
4080	apmdttlbxpyqemvygla.exe
2944	apmdttlbxpyqemvygla.exe
2308	gtodrpftndkamszag.exe
4308	uvfllmhhefp.exe
1428	zlftgdsfyntityee.exe
3836	uvfllmhhefp.exe
1532	zlftgdsfyntityee.exe
4264	pdzpedujevduhowyfj.exe
3196	uvfllmhhefp.exe
3764	cdmpr.exe
3740	cdmpr.exe
1756	ndbtklevslvodmwajpfd.exe
1700	ctsldfzrpjuoeozeovmle.exe
3588	gtodrpftndkamszag.exe
5332	zlftgdsfyntityee.exe
6080	ndbtklevslvodmwajpfd.exe
1680	zlftgdsfyntityee.exe
3788	uvfllmhhefp.exe
1248	uvfllmhhefp.exe
5092	ndbtklevslvodmwajpfd.exe
5408	zlftgdsfyntityee.exe
3404	gtodrpftndkamszag.exe
3804	uvfllmhhefp.exe
4788	uvfllmhhefp.exe
4984	ctsldfzrpjuoeozeovmle.exe
1896	pdzpedujevduhowyfj.exe
740	apmdttlbxpyqemvygla.exe
5376	ctsldfzrpjuoeozeovmle.exe
2272	pdzpedujevduhowyfj.exe
3800	uvfllmhhefp.exe
6036	uvfllmhhefp.exe
6016	pdzpedujevduhowyfj.exe
624	uvfllmhhefp.exe
5344	pdzpedujevduhowyfj.exe
2068	apmdttlbxpyqemvygla.exe
5732	uvfllmhhefp.exe
3812	pdzpedujevduhowyfj.exe
2780	uvfllmhhefp.exe
1600	gtodrpftndkamszag.exe
3516	zlftgdsfyntityee.exe
5968	ctsldfzrpjuoeozeovmle.exe
5992	uvfllmhhefp.exe
1680	apmdttlbxpyqemvygla.exe
2676	uvfllmhhefp.exe
3620	pdzpedujevduhowyfj.exe
1124	pdzpedujevduhowyfj.exe
4384	uvfllmhhefp.exe
4584	ctsldfzrpjuoeozeovmle.exe
4848	apmdttlbxpyqemvygla.exe
3952	ndbtklevslvodmwajpfd.exe
6020	uvfllmhhefp.exe
2132	pdzpedujevduhowyfj.exe
1204	ndbtklevslvodmwajpfd.exe
2416	gtodrpftndkamszag.exe
388	uvfllmhhefp.exe
2756	ndbtklevslvodmwajpfd.exe
3652	uvfllmhhefp.exe
2456	ctsldfzrpjuoeozeovmle.exe
3232	pdzpedujevduhowyfj.exe
4732	ndbtklevslvodmwajpfd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cdmpr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cdmpr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cdmpr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cdmpr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cdmpr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cdmpr.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ndbtklevslvodmwajpfd.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "ctsldfzrpjuoeozeovmle.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "zlftgdsfyntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "ctsldfzrpjuoeozeovmle.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "ndbtklevslvodmwajpfd.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "ctsldfzrpjuoeozeovmle.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "apmdttlbxpyqemvygla.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "gtodrpftndkamszag.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "ctsldfzrpjuoeozeovmle.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "gtodrpftndkamszag.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "apmdttlbxpyqemvygla.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "zlftgdsfyntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ctsldfzrpjuoeozeovmle.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "gtodrpftndkamszag.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzqblfrbrdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "ctsldfzrpjuoeozeovmle.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apmdttlbxpyqemvygla.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "ndbtklevslvodmwajpfd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "gtodrpftndkamszag.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "pdzpedujevduhowyfj.exe"	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "ctsldfzrpjuoeozeovmle.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "apmdttlbxpyqemvygla.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "ndbtklevslvodmwajpfd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "zlftgdsfyntityee.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "apmdttlbxpyqemvygla.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "pdzpedujevduhowyfj.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apmdttlbxpyqemvygla.exe"	cdmpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqzhzjrfpq = "gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzqblfrbrdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctsldfzrpjuoeozeovmle.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glyflbjpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzqblfrbrdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "pdzpedujevduhowyfj.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "apmdttlbxpyqemvygla.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzpedujevduhowyfj.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlftgdsfyntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbtfqlyjanrenq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbtklevslvodmwajpfd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzpzibmvkvxi = "ndbtklevslvodmwajpfd.exe ."	cdmpr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptflqfmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtodrpftndkamszag.exe"	cdmpr.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdmpr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdmpr.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdmpr.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	www.whatismyip.ca
24	www.showmyipaddress.com
32	whatismyipaddress.com
38	whatismyip.everdot.org
41	www.whatismyip.ca
43	whatismyip.everdot.org
49	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	cdmpr.exe
File created	C:\autorun.inf	cdmpr.exe
File opened for modification	F:\autorun.inf	cdmpr.exe
File created	F:\autorun.inf	cdmpr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	cdmpr.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\dzdbyfebedtsncscrdzdby.ebe	cdmpr.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	cdmpr.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zlftgdsfyntityee.exe	uvfllmhhefp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ubqzhzjrfpqagghcczgvemeowkuvfllmh.ela	cdmpr.exe
File created	C:\Program Files (x86)\ubqzhzjrfpqagghcczgvemeowkuvfllmh.ela	cdmpr.exe
File opened for modification	C:\Program Files (x86)\dzdbyfebedtsncscrdzdby.ebe	cdmpr.exe
File created	C:\Program Files (x86)\dzdbyfebedtsncscrdzdby.ebe	cdmpr.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	cdmpr.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	cdmpr.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	cdmpr.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	cdmpr.exe
File opened for modification	C:\Windows\ctsldfzrpjuoeozeovmle.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zlftgdsfyntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	cdmpr.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ndbtklevslvodmwajpfd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\tllfybwpojvqhsekvdvvpi.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\pdzpedujevduhowyfj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\apmdttlbxpyqemvygla.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\gtodrpftndkamszag.exe	uvfllmhhefp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlftgdsfyntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndbtklevslvodmwajpfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmdttlbxpyqemvygla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdzpedujevduhowyfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtodrpftndkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctsldfzrpjuoeozeovmle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3740	cdmpr.exe
3740	cdmpr.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3740	cdmpr.exe
3740	cdmpr.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	cdmpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 6112	3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe	87
PID 3368 wrote to memory of 6112	3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe	87
PID 3368 wrote to memory of 6112	3368	JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe	87
PID 4792 wrote to memory of 4652	4792	cmd.exe	92
PID 4792 wrote to memory of 4652	4792	cmd.exe	92
PID 4792 wrote to memory of 4652	4792	cmd.exe	92
PID 5180 wrote to memory of 1920	5180	cmd.exe	95
PID 5180 wrote to memory of 1920	5180	cmd.exe	95
PID 5180 wrote to memory of 1920	5180	cmd.exe	95
PID 1920 wrote to memory of 4872	1920	ndbtklevslvodmwajpfd.exe	97
PID 1920 wrote to memory of 4872	1920	ndbtklevslvodmwajpfd.exe	97
PID 1920 wrote to memory of 4872	1920	ndbtklevslvodmwajpfd.exe	97
PID 4836 wrote to memory of 4080	4836	cmd.exe	101
PID 4836 wrote to memory of 4080	4836	cmd.exe	101
PID 4836 wrote to memory of 4080	4836	cmd.exe	101
PID 4076 wrote to memory of 2944	4076	cmd.exe	104
PID 4076 wrote to memory of 2944	4076	cmd.exe	104
PID 4076 wrote to memory of 2944	4076	cmd.exe	104
PID 4944 wrote to memory of 2308	4944	cmd.exe	105
PID 4944 wrote to memory of 2308	4944	cmd.exe	105
PID 4944 wrote to memory of 2308	4944	cmd.exe	105
PID 2944 wrote to memory of 4308	2944	apmdttlbxpyqemvygla.exe	108
PID 2944 wrote to memory of 4308	2944	apmdttlbxpyqemvygla.exe	108
PID 2944 wrote to memory of 4308	2944	apmdttlbxpyqemvygla.exe	108
PID 5080 wrote to memory of 1428	5080	cmd.exe	109
PID 5080 wrote to memory of 1428	5080	cmd.exe	109
PID 5080 wrote to memory of 1428	5080	cmd.exe	109
PID 1428 wrote to memory of 3836	1428	zlftgdsfyntityee.exe	111
PID 1428 wrote to memory of 3836	1428	zlftgdsfyntityee.exe	111
PID 1428 wrote to memory of 3836	1428	zlftgdsfyntityee.exe	111
PID 1208 wrote to memory of 1532	1208	cmd.exe	115
PID 1208 wrote to memory of 1532	1208	cmd.exe	115
PID 1208 wrote to memory of 1532	1208	cmd.exe	115
PID 1016 wrote to memory of 4264	1016	cmd.exe	118
PID 1016 wrote to memory of 4264	1016	cmd.exe	118
PID 1016 wrote to memory of 4264	1016	cmd.exe	118
PID 4264 wrote to memory of 3196	4264	pdzpedujevduhowyfj.exe	120
PID 4264 wrote to memory of 3196	4264	pdzpedujevduhowyfj.exe	120
PID 4264 wrote to memory of 3196	4264	pdzpedujevduhowyfj.exe	120
PID 6112 wrote to memory of 3764	6112	uvfllmhhefp.exe	121
PID 6112 wrote to memory of 3764	6112	uvfllmhhefp.exe	121
PID 6112 wrote to memory of 3764	6112	uvfllmhhefp.exe	121
PID 6112 wrote to memory of 3740	6112	uvfllmhhefp.exe	122
PID 6112 wrote to memory of 3740	6112	uvfllmhhefp.exe	122
PID 6112 wrote to memory of 3740	6112	uvfllmhhefp.exe	122
PID 2268 wrote to memory of 1756	2268	cmd.exe	133
PID 2268 wrote to memory of 1756	2268	cmd.exe	133
PID 2268 wrote to memory of 1756	2268	cmd.exe	133
PID 6124 wrote to memory of 1700	6124	cmd.exe	135
PID 6124 wrote to memory of 1700	6124	cmd.exe	135
PID 6124 wrote to memory of 1700	6124	cmd.exe	135
PID 1108 wrote to memory of 3588	1108	cmd.exe	137
PID 1108 wrote to memory of 3588	1108	cmd.exe	137
PID 1108 wrote to memory of 3588	1108	cmd.exe	137
PID 5192 wrote to memory of 5332	5192	cmd.exe	140
PID 5192 wrote to memory of 5332	5192	cmd.exe	140
PID 5192 wrote to memory of 5332	5192	cmd.exe	140
PID 1036 wrote to memory of 6080	1036	cmd.exe	143
PID 1036 wrote to memory of 6080	1036	cmd.exe	143
PID 1036 wrote to memory of 6080	1036	cmd.exe	143
PID 5164 wrote to memory of 1680	5164	cmd.exe	199
PID 5164 wrote to memory of 1680	5164	cmd.exe	199
PID 5164 wrote to memory of 1680	5164	cmd.exe	199
PID 3588 wrote to memory of 3788	3588	gtodrpftndkamszag.exe	147

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cdmpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cdmpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
  "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8abe43cb15a9dd8d69f77c0c833c6809.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\cdmpr.exe
    "C:\Users\Admin\AppData\Local\Temp\cdmpr.exe" "-C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\cdmpr.exe
    "C:\Users\Admin\AppData\Local\Temp\cdmpr.exe" "-C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  - Executes dropped EXE
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    - Executes dropped EXE
    PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  - Executes dropped EXE
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  - Executes dropped EXE
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Executes dropped EXE
    PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  - Executes dropped EXE
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    - Executes dropped EXE
    PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  - Executes dropped EXE
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5192
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  - Executes dropped EXE
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5164
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  - Executes dropped EXE
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:3760
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:2088
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  - Executes dropped EXE
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4496
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    - Executes dropped EXE
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Executes dropped EXE
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    - Executes dropped EXE
    PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  - Executes dropped EXE
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Executes dropped EXE
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  - Executes dropped EXE
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:1208
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  - Executes dropped EXE
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:3644
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Executes dropped EXE
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:5064
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  - Executes dropped EXE
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:1384
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Executes dropped EXE
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  - Executes dropped EXE
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Executes dropped EXE
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    - Executes dropped EXE
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Executes dropped EXE
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:1740
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:4128
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Executes dropped EXE
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    - Executes dropped EXE
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2500
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  - Executes dropped EXE
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:4980
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  - Executes dropped EXE
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:4536
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Executes dropped EXE
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:5980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1896
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    - Executes dropped EXE
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:3128
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  - Executes dropped EXE
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2720
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:2920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2272
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:4648
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:2076
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:5064
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:5964
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:3180
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:5000
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4512
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:5524
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:5744
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:2656
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:2920
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:2768
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:1384
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:5508
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4432
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:4884
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:4912
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:5440
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:876
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4644
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:6072
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:2496
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:5620
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:4044
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:3784
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:4104
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:2880
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:2848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4392
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:1916
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3952
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:2448
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:5424
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1696
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:1704
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:4836
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1016
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5552
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:2936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3176
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4332
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:5124
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:3728
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4184
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:2880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2988
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:5048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5820
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:5748
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:3196
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:2636
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:6072
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:1528
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:4544
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:3752
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:5536
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:3700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4516
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:1896
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:2944
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:2808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:3636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5304
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1244
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:2920
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:3928
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:2708
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4572
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:5984
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2072
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:3264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4532
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:2100
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:5748
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3772
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4044
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3128
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:2928
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4956
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:3324
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:6000
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:2500
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:4036
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5408
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:752
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:5520
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:2396
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4528
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:1636
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:2664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:464
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:2252
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:8
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:1124
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:4848
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1688
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:4760
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:4576
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:5440
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:4776
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:1368
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1528
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:5164
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:4932
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:404
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:2088
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:2636
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5148
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:4604
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:2988
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:3644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:4536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4884
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5348
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:3784
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:2076
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:1116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4532
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:3084
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:2364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4360
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:1376
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:1044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:2936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4304
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:4128
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:4632
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5232
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:1996
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5204
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4708
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:4344
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3016
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4740
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:6000
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4908
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:4968
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:5748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:2608
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:3572
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3092
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:5080
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:1520
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5032
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:5660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4004
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4944
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3788
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:3400
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:5396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5044
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:2768
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4560
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:704
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:4216
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:1832
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:1760
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  - Checks computer location settings
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5164
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:384
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:3552
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5480
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4656
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  - Checks computer location settings
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:2944
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:4724
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:1696
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:5732
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5412
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:2616
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:2100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3220
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:5124
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:4536
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:5204
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:5844
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:3156
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:4704
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:3804
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:4132
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2284
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5316
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:5784
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:4652
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:4952
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5044
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe .
1⤵
PID:632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1376
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:5840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:5960
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:2616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5904
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:3644
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe
1⤵
PID:1904
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:1836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:764
- C:\Windows\ctsldfzrpjuoeozeovmle.exe
  ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe .
  2⤵
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\gtodrpftndkamszag.exe*."
    3⤵
    PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe .
  2⤵
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe
1⤵
PID:4360
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:4452
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2256
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4500
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gtodrpftndkamszag.exe .
1⤵
PID:1308
- C:\Windows\gtodrpftndkamszag.exe
  gtodrpftndkamszag.exe .
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\gtodrpftndkamszag.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:5900
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:5584
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe .
1⤵
PID:1540
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe
1⤵
PID:5544
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:5648
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:4624
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:6124
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:5440
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe .
1⤵
PID:1688
- C:\Windows\apmdttlbxpyqemvygla.exe
  apmdttlbxpyqemvygla.exe .
  2⤵
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\apmdttlbxpyqemvygla.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\gtodrpftndkamszag.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe
  C:\Users\Admin\AppData\Local\Temp\pdzpedujevduhowyfj.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe
  C:\Users\Admin\AppData\Local\Temp\ndbtklevslvodmwajpfd.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ndbtklevslvodmwajpfd.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe
1⤵
PID:2880
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlftgdsfyntityee.exe .
1⤵
PID:5824
- C:\Windows\zlftgdsfyntityee.exe
  zlftgdsfyntityee.exe .
  2⤵
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zlftgdsfyntityee.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ndbtklevslvodmwajpfd.exe
1⤵
PID:2256
- C:\Windows\ndbtklevslvodmwajpfd.exe
  ndbtklevslvodmwajpfd.exe
  2⤵
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdzpedujevduhowyfj.exe .
1⤵
PID:5408
- C:\Windows\pdzpedujevduhowyfj.exe
  pdzpedujevduhowyfj.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\pdzpedujevduhowyfj.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  C:\Users\Admin\AppData\Local\Temp\apmdttlbxpyqemvygla.exe
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe .
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ctsldfzrpjuoeozeovmle.exe*."
    3⤵
    PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe
1⤵
PID:4548
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  C:\Users\Admin\AppData\Local\Temp\ctsldfzrpjuoeozeovmle.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
1⤵
PID:624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5260
- C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe
  C:\Users\Admin\AppData\Local\Temp\zlftgdsfyntityee.exe .
  2⤵
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zlftgdsfyntityee.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe .
1⤵
PID:5068
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe
1⤵
PID:3092
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe .
1⤵
PID:5156
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
1⤵
PID:4264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apmdttlbxpyqemvygla.exe
1⤵
PID:5184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry