pykspa | 5b3dc82ddc8865d7d06be428110829154be48e3345b91a663e4e2435a14d8497

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 28 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bgnry.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000f000000022edf-4.dat	family_pykspa
behavioral2/files/0x000700000002428f-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "ogarldmjwqfyqhfmmx.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "fwpfypxtfymevlion.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwpfypxtfymevlion.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "bwtnkfrrhewsnhisvjpkh.exe"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "yogvndkfqivmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "zsnfatdbpkaunfemnzd.exe"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\owgnxfer = "bwtnkfrrhewsnhisvjpkh.exe"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
58	1944	Process not Found
62	1944	Process not Found
82	1944	Process not Found
83	1944	Process not Found
90	1944	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	myjtkkdhwit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	fwpfypxtfymevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	yogvndkfqivmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bwtnkfrrhewsnhisvjpkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	zsnfatdbpkaunfemnzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mgcvrlwvkgxsmffoqdic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ogarldmjwqfyqhfmmx.exe

Executes dropped EXE 64 IoCs

pid	Process
3552	myjtkkdhwit.exe
4696	fwpfypxtfymevlion.exe
1396	fwpfypxtfymevlion.exe
4820	myjtkkdhwit.exe
4892	zsnfatdbpkaunfemnzd.exe
2768	mgcvrlwvkgxsmffoqdic.exe
3292	yogvndkfqivmcrns.exe
3308	myjtkkdhwit.exe
5336	bwtnkfrrhewsnhisvjpkh.exe
4148	myjtkkdhwit.exe
1400	ogarldmjwqfyqhfmmx.exe
1076	zsnfatdbpkaunfemnzd.exe
4036	myjtkkdhwit.exe
1968	bgnry.exe
2604	bgnry.exe
5960	ogarldmjwqfyqhfmmx.exe
2024	mgcvrlwvkgxsmffoqdic.exe
5032	zsnfatdbpkaunfemnzd.exe
3572	fwpfypxtfymevlion.exe
4336	myjtkkdhwit.exe
1000	myjtkkdhwit.exe
3380	zsnfatdbpkaunfemnzd.exe
4220	yogvndkfqivmcrns.exe
1228	yogvndkfqivmcrns.exe
4688	zsnfatdbpkaunfemnzd.exe
4532	bwtnkfrrhewsnhisvjpkh.exe
4508	zsnfatdbpkaunfemnzd.exe
4560	mgcvrlwvkgxsmffoqdic.exe
4912	yogvndkfqivmcrns.exe
5372	myjtkkdhwit.exe
3600	myjtkkdhwit.exe
5020	myjtkkdhwit.exe
2016	myjtkkdhwit.exe
868	ogarldmjwqfyqhfmmx.exe
5560	fwpfypxtfymevlion.exe
5256	myjtkkdhwit.exe
5944	myjtkkdhwit.exe
1840	mgcvrlwvkgxsmffoqdic.exe
2272	bwtnkfrrhewsnhisvjpkh.exe
424	ogarldmjwqfyqhfmmx.exe
5660	zsnfatdbpkaunfemnzd.exe
3060	myjtkkdhwit.exe
1112	zsnfatdbpkaunfemnzd.exe
1124	ogarldmjwqfyqhfmmx.exe
3004	yogvndkfqivmcrns.exe
2864	myjtkkdhwit.exe
1956	zsnfatdbpkaunfemnzd.exe
4972	myjtkkdhwit.exe
4336	ogarldmjwqfyqhfmmx.exe
2300	yogvndkfqivmcrns.exe
616	myjtkkdhwit.exe
1448	mgcvrlwvkgxsmffoqdic.exe
4564	mgcvrlwvkgxsmffoqdic.exe
1036	ogarldmjwqfyqhfmmx.exe
3428	mgcvrlwvkgxsmffoqdic.exe
4856	ogarldmjwqfyqhfmmx.exe
5020	myjtkkdhwit.exe
5256	yogvndkfqivmcrns.exe
2472	ogarldmjwqfyqhfmmx.exe
4892	mgcvrlwvkgxsmffoqdic.exe
5560	myjtkkdhwit.exe
4812	fwpfypxtfymevlion.exe
5576	myjtkkdhwit.exe
5660	zsnfatdbpkaunfemnzd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	bgnry.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	bgnry.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	bgnry.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	bgnry.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	bgnry.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	bgnry.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe ."	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "ogarldmjwqfyqhfmmx.exe ."	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "yogvndkfqivmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "mgcvrlwvkgxsmffoqdic.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqbpbevcqzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqbpbevcqzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "fwpfypxtfymevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "fwpfypxtfymevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "fwpfypxtfymevlion.exe"	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "zsnfatdbpkaunfemnzd.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "mgcvrlwvkgxsmffoqdic.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqbpbevcqzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "mgcvrlwvkgxsmffoqdic.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "zsnfatdbpkaunfemnzd.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "yogvndkfqivmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "ogarldmjwqfyqhfmmx.exe ."	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "yogvndkfqivmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgcvrlwvkgxsmffoqdic.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "zsnfatdbpkaunfemnzd.exe ."	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "yogvndkfqivmcrns.exe ."	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "fwpfypxtfymevlion.exe"	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "fwpfypxtfymevlion.exe"	bgnry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcqbpbevcqzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwpfypxtfymevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	bgnry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fozhsbbpt = "mgcvrlwvkgxsmffoqdic.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgpvelj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsnfatdbpkaunfemnzd.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwtnkfrrhewsnhisvjpkh.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terbozbrxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwpfypxtfymevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yiudpzapug = "bwtnkfrrhewsnhisvjpkh.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msafnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yogvndkfqivmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msafnt = "ogarldmjwqfyqhfmmx.exe"	myjtkkdhwit.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bgnry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bgnry.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	whatismyipaddress.com
29	www.showmyipaddress.com
35	www.whatismyip.ca
40	whatismyip.everdot.org
46	whatismyip.everdot.org
54	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\somhfbopgexuqlnycryusn.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qcqbpbevcqzmyjbcwbykyjxjmdkyhugrjk.jgs	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\dehhkldjfigijjqgpjvwzzc.vbx	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File created	C:\Windows\SysWOW64\qcqbpbevcqzmyjbcwbykyjxjmdkyhugrjk.jgs	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\zsnfatdbpkaunfemnzd.exe	bgnry.exe
File opened for modification	C:\Windows\SysWOW64\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\fwpfypxtfymevlion.exe	myjtkkdhwit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dehhkldjfigijjqgpjvwzzc.vbx	bgnry.exe
File created	C:\Program Files (x86)\dehhkldjfigijjqgpjvwzzc.vbx	bgnry.exe
File opened for modification	C:\Program Files (x86)\qcqbpbevcqzmyjbcwbykyjxjmdkyhugrjk.jgs	bgnry.exe
File created	C:\Program Files (x86)\qcqbpbevcqzmyjbcwbykyjxjmdkyhugrjk.jgs	bgnry.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File created	C:\Windows\qcqbpbevcqzmyjbcwbykyjxjmdkyhugrjk.jgs	bgnry.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	bgnry.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	bgnry.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	bgnry.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	bgnry.exe
File created	C:\Windows\dehhkldjfigijjqgpjvwzzc.vbx	bgnry.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\somhfbopgexuqlnycryusn.exe	bgnry.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\zsnfatdbpkaunfemnzd.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\mgcvrlwvkgxsmffoqdic.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dehhkldjfigijjqgpjvwzzc.vbx	bgnry.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\yogvndkfqivmcrns.exe	bgnry.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ogarldmjwqfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\fwpfypxtfymevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bwtnkfrrhewsnhisvjpkh.exe	myjtkkdhwit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgcvrlwvkgxsmffoqdic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yogvndkfqivmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogarldmjwqfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myjtkkdhwit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnfatdbpkaunfemnzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwpfypxtfymevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwtnkfrrhewsnhisvjpkh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
1968	bgnry.exe
1968	bgnry.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
1968	bgnry.exe
1968	bgnry.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	bgnry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3552	2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe	88
PID 2416 wrote to memory of 3552	2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe	88
PID 2416 wrote to memory of 3552	2416	JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe	88
PID 4664 wrote to memory of 4696	4664	cmd.exe	93
PID 4664 wrote to memory of 4696	4664	cmd.exe	93
PID 4664 wrote to memory of 4696	4664	cmd.exe	93
PID 3832 wrote to memory of 1396	3832	cmd.exe	96
PID 3832 wrote to memory of 1396	3832	cmd.exe	96
PID 3832 wrote to memory of 1396	3832	cmd.exe	96
PID 1396 wrote to memory of 4820	1396	fwpfypxtfymevlion.exe	99
PID 1396 wrote to memory of 4820	1396	fwpfypxtfymevlion.exe	99
PID 1396 wrote to memory of 4820	1396	fwpfypxtfymevlion.exe	99
PID 4720 wrote to memory of 4892	4720	cmd.exe	102
PID 4720 wrote to memory of 4892	4720	cmd.exe	102
PID 4720 wrote to memory of 4892	4720	cmd.exe	102
PID 5364 wrote to memory of 2768	5364	cmd.exe	105
PID 5364 wrote to memory of 2768	5364	cmd.exe	105
PID 5364 wrote to memory of 2768	5364	cmd.exe	105
PID 6000 wrote to memory of 3292	6000	cmd.exe	108
PID 6000 wrote to memory of 3292	6000	cmd.exe	108
PID 6000 wrote to memory of 3292	6000	cmd.exe	108
PID 2768 wrote to memory of 3308	2768	mgcvrlwvkgxsmffoqdic.exe	109
PID 2768 wrote to memory of 3308	2768	mgcvrlwvkgxsmffoqdic.exe	109
PID 2768 wrote to memory of 3308	2768	mgcvrlwvkgxsmffoqdic.exe	109
PID 2868 wrote to memory of 5336	2868	cmd.exe	110
PID 2868 wrote to memory of 5336	2868	cmd.exe	110
PID 2868 wrote to memory of 5336	2868	cmd.exe	110
PID 5336 wrote to memory of 4148	5336	bwtnkfrrhewsnhisvjpkh.exe	114
PID 5336 wrote to memory of 4148	5336	bwtnkfrrhewsnhisvjpkh.exe	114
PID 5336 wrote to memory of 4148	5336	bwtnkfrrhewsnhisvjpkh.exe	114
PID 1876 wrote to memory of 1400	1876	cmd.exe	117
PID 1876 wrote to memory of 1400	1876	cmd.exe	117
PID 1876 wrote to memory of 1400	1876	cmd.exe	117
PID 744 wrote to memory of 1076	744	cmd.exe	119
PID 744 wrote to memory of 1076	744	cmd.exe	119
PID 744 wrote to memory of 1076	744	cmd.exe	119
PID 1076 wrote to memory of 4036	1076	zsnfatdbpkaunfemnzd.exe	259
PID 1076 wrote to memory of 4036	1076	zsnfatdbpkaunfemnzd.exe	259
PID 1076 wrote to memory of 4036	1076	zsnfatdbpkaunfemnzd.exe	259
PID 3552 wrote to memory of 1968	3552	myjtkkdhwit.exe	121
PID 3552 wrote to memory of 1968	3552	myjtkkdhwit.exe	121
PID 3552 wrote to memory of 1968	3552	myjtkkdhwit.exe	121
PID 3552 wrote to memory of 2604	3552	myjtkkdhwit.exe	122
PID 3552 wrote to memory of 2604	3552	myjtkkdhwit.exe	122
PID 3552 wrote to memory of 2604	3552	myjtkkdhwit.exe	122
PID 2864 wrote to memory of 5960	2864	cmd.exe	127
PID 2864 wrote to memory of 5960	2864	cmd.exe	127
PID 2864 wrote to memory of 5960	2864	cmd.exe	127
PID 1912 wrote to memory of 2024	1912	cmd.exe	128
PID 1912 wrote to memory of 2024	1912	cmd.exe	128
PID 1912 wrote to memory of 2024	1912	cmd.exe	128
PID 5428 wrote to memory of 5032	5428	cmd.exe	133
PID 5428 wrote to memory of 5032	5428	cmd.exe	133
PID 5428 wrote to memory of 5032	5428	cmd.exe	133
PID 5824 wrote to memory of 3572	5824	cmd.exe	134
PID 5824 wrote to memory of 3572	5824	cmd.exe	134
PID 5824 wrote to memory of 3572	5824	cmd.exe	134
PID 3572 wrote to memory of 4336	3572	fwpfypxtfymevlion.exe	281
PID 3572 wrote to memory of 4336	3572	fwpfypxtfymevlion.exe	281
PID 3572 wrote to memory of 4336	3572	fwpfypxtfymevlion.exe	281
PID 5032 wrote to memory of 1000	5032	zsnfatdbpkaunfemnzd.exe	149
PID 5032 wrote to memory of 1000	5032	zsnfatdbpkaunfemnzd.exe	149
PID 5032 wrote to memory of 1000	5032	zsnfatdbpkaunfemnzd.exe	149
PID 5584 wrote to memory of 3380	5584	cmd.exe	154

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bgnry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bgnry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bgnry.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b11f0269240dac4945006b2e668842a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
  "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8b11f0269240dac4945006b2e668842a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\bgnry.exe
    "C:\Users\Admin\AppData\Local\Temp\bgnry.exe" "-C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\bgnry.exe
    "C:\Users\Admin\AppData\Local\Temp\bgnry.exe" "-C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  - Executes dropped EXE
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    - Executes dropped EXE
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    - Executes dropped EXE
    PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  - Executes dropped EXE
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5824
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5428
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:2712
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  - Executes dropped EXE
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4392
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4420
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  - Executes dropped EXE
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    - Executes dropped EXE
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - Executes dropped EXE
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  - Executes dropped EXE
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  - Executes dropped EXE
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    - Executes dropped EXE
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:3644
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:1408
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:2500
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  - Executes dropped EXE
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:2476
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:5300
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:1228
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  - Executes dropped EXE
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4672
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  - Executes dropped EXE
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5596
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5704
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  - Executes dropped EXE
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:2484
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:2768
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:3192
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:5340
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:5556
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  - Executes dropped EXE
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:4516
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1400
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5268
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:2568
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:4072
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:1036
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5696
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:3852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5244
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1792
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:212
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4576
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:2208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1228
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2252
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:1732
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:6024
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:800
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:1132
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:372
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5688
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:2072
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2836
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:4520
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:3488
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:1148
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:1528
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5560
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:5172
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:3208
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5184
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:5684
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:5340
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:1948
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:2496
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:1536
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:5332
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4784
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1956
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:3676
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:3100
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4012
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:5632
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5556
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:5808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5796
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4544
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1792
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:4452
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:5564
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:3228
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:2328
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2964
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:3452
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:5016
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4980
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4488
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4976
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:3988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3016
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:2476
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5308
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:3544
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4140
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5028
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:2932
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:928
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:5764
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5920
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:800
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:2988
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4756
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:3376

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:5432
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:4412
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:2628
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:4796
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:3980
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:5256
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:864
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2644
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:3692
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:4636
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:1612
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:2704
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:804
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3688
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:6096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1916
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:460
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2772
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:5896
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:1956
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5692
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:4004
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:1112
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:2268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:448
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2868
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5240
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5028
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5176
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:5284
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:4756
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:4836
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:3992
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:2112
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1004
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:5944
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:852
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:1596
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1132
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:5676
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1020
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:3540
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4464
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2208
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:3104
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:4012
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:4008
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4708
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4540
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5356
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:1440
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1140
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4860
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5352
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4720
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:6000
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:3184
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:928
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3308
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:3924
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:912
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe
      "C:\Users\Admin\AppData\Local\Temp\uhjtegr.exe" "-C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe"
      4⤵
      PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:2772
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:4960
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthdaolcxkaunfemnzy.exe
1⤵
PID:1596
- C:\Windows\uthdaolcxkaunfemnzy.exe
  uthdaolcxkaunfemnzy.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjdykfunymevlion.exe .
1⤵
PID:4516
- C:\Windows\axjdykfunymevlion.exe
  axjdykfunymevlion.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\axjdykfunymevlion.exe*."
    3⤵
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:996
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwtrgewsgxsmffoqddd.exe
1⤵
PID:5372
- C:\Windows\hhwtrgewsgxsmffoqddd.exe
  hhwtrgewsgxsmffoqddd.exe
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhuplyukeqfyqhfmmx.exe .
1⤵
PID:5268
- C:\Windows\jhuplyukeqfyqhfmmx.exe
  jhuplyukeqfyqhfmmx.exe .
  2⤵
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jhuplyukeqfyqhfmmx.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
  C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
  C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
  2⤵
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hhwtrgewsgxsmffoqddd.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4636
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
  C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
  C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
  2⤵
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hhwtrgewsgxsmffoqddd.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:3940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1876
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:4892
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5632
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:4704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2128
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:5360
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:3744
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:5936
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjdykfunymevlion.exe
1⤵
PID:4420
- C:\Windows\axjdykfunymevlion.exe
  axjdykfunymevlion.exe
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:5976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5688
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthdaolcxkaunfemnzy.exe .
1⤵
PID:5884
- C:\Windows\uthdaolcxkaunfemnzy.exe
  uthdaolcxkaunfemnzy.exe .
  2⤵
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\uthdaolcxkaunfemnzy.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpatnysgyivmcrns.exe
1⤵
PID:5308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1536
- C:\Windows\tpatnysgyivmcrns.exe
  tpatnysgyivmcrns.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwtrgewsgxsmffoqddd.exe .
1⤵
PID:3600
- C:\Windows\hhwtrgewsgxsmffoqddd.exe
  hhwtrgewsgxsmffoqddd.exe .
  2⤵
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\hhwtrgewsgxsmffoqddd.exe*."
    3⤵
    PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
1⤵
PID:4672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
  C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe
  C:\Users\Admin\AppData\Local\Temp\hhwtrgewsgxsmffoqddd.exe .
  2⤵
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\hhwtrgewsgxsmffoqddd.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4956
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:1768
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthdaolcxkaunfemnzy.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\uthdaolcxkaunfemnzy.exe
  C:\Users\Admin\AppData\Local\Temp\uthdaolcxkaunfemnzy.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exe .
1⤵
PID:1004
- C:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jhuplyukeqfyqhfmmx.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:2692
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:3040
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:1188
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:6060
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4664
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:3192
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:392
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:2960
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:1376
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:996
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:5208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5060
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:3644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:2704
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe
1⤵
PID:2180
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:5672
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:5456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5316
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe .
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mgcvrlwvkgxsmffoqdic.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:4460
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe .
1⤵
PID:4400
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:2936
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:4016
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  C:\Users\Admin\AppData\Local\Temp\mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe
  C:\Users\Admin\AppData\Local\Temp\bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:3644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4012
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:2364
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgcvrlwvkgxsmffoqdic.exe
1⤵
PID:4476
- C:\Windows\mgcvrlwvkgxsmffoqdic.exe
  mgcvrlwvkgxsmffoqdic.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe .
1⤵
PID:4636
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe .
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bwtnkfrrhewsnhisvjpkh.exe*."
    3⤵
    PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6092
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:1400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
1⤵
PID:2340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe .
  2⤵
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\fwpfypxtfymevlion.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3996
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5672
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:3140
- C:\Windows\bwtnkfrrhewsnhisvjpkh.exe
  bwtnkfrrhewsnhisvjpkh.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe .
1⤵
PID:5172
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe .
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\yogvndkfqivmcrns.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  C:\Users\Admin\AppData\Local\Temp\fwpfypxtfymevlion.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:436
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe
1⤵
PID:5308
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:4736
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yogvndkfqivmcrns.exe
1⤵
PID:1792
- C:\Windows\yogvndkfqivmcrns.exe
  yogvndkfqivmcrns.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwpfypxtfymevlion.exe .
1⤵
PID:208
- C:\Windows\fwpfypxtfymevlion.exe
  fwpfypxtfymevlion.exe .
  2⤵
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\fwpfypxtfymevlion.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\yogvndkfqivmcrns.exe
  2⤵
  PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zsnfatdbpkaunfemnzd.exe*."
    3⤵
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  C:\Users\Admin\AppData\Local\Temp\zsnfatdbpkaunfemnzd.exe
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\ogarldmjwqfyqhfmmx.exe .
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\ogarldmjwqfyqhfmmx.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjdykfunymevlion.exe
1⤵
PID:5220
- C:\Windows\axjdykfunymevlion.exe
  axjdykfunymevlion.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogarldmjwqfyqhfmmx.exe
1⤵
PID:4548
- C:\Windows\ogarldmjwqfyqhfmmx.exe
  ogarldmjwqfyqhfmmx.exe
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhuplyukeqfyqhfmmx.exe .
1⤵
PID:5796
- C:\Windows\jhuplyukeqfyqhfmmx.exe
  jhuplyukeqfyqhfmmx.exe .
  2⤵
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\jhuplyukeqfyqhfmmx.exe*."
    3⤵
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsnfatdbpkaunfemnzd.exe .
1⤵
PID:5064
- C:\Windows\zsnfatdbpkaunfemnzd.exe
  zsnfatdbpkaunfemnzd.exe .
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhuplyukeqfyqhfmmx.exe
1⤵
PID:312
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwtnkfrrhewsnhisvjpkh.exe
1⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnlkazspewsnhisvjklb.exe .
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry