pykspa | 9f1ca7fd043142e1a40113229b8764d993123647a3ea9ada7ca338f67325020e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jgshfqsitqc.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 13 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wakovdn.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x00040000000272db-4.dat	family_pykspa
behavioral1/files/0x0007000000027f23-83.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lqbgoxit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viboevohzhsulfiy.exe"	jgshfqsitqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qymufrftgjp = "wmiyrlhdyjxcwtzscaa.exe"	jgshfqsitqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qymufrftgjp = "wmiyrlhdyjxcwtzscaa.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lqbgoxit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe"	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lqbgoxit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viboevohzhsulfiy.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qymufrftgjp = "yqogbxvtqdtawvdykkmec.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lqbgoxit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqkyphbvoxjmezduc.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qymufrftgjp = "jaxoidaxtfuavtaufefw.exe"	jgshfqsitqc.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	cqkyphbvoxjmezduc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	viboevohzhsulfiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	viboevohzhsulfiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	wmiyrlhdyjxcwtzscaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	viboevohzhsulfiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	cqkyphbvoxjmezduc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	jaxoidaxtfuavtaufefw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	wmiyrlhdyjxcwtzscaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	jgshfqsitqc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	viboevohzhsulfiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	jaxoidaxtfuavtaufefw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	jaxoidaxtfuavtaufefw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	yqogbxvtqdtawvdykkmec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	wmiyrlhdyjxcwtzscaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	cqkyphbvoxjmezduc.exe

Executes dropped EXE 47 IoCs

pid	Process
1596	jgshfqsitqc.exe
1716	jaxoidaxtfuavtaufefw.exe
4468	jaxoidaxtfuavtaufefw.exe
2512	jgshfqsitqc.exe
2736	wmiyrlhdyjxcwtzscaa.exe
3340	yqogbxvtqdtawvdykkmec.exe
1440	yqogbxvtqdtawvdykkmec.exe
3560	jgshfqsitqc.exe
3432	cqkyphbvoxjmezduc.exe
740	wmiyrlhdyjxcwtzscaa.exe
1012	jgshfqsitqc.exe
1680	wmiyrlhdyjxcwtzscaa.exe
4876	jgshfqsitqc.exe
3328	wakovdn.exe
1808	wakovdn.exe
4756	viboevohzhsulfiy.exe
1584	lavkcvqlfpcgzvasby.exe
4488	viboevohzhsulfiy.exe
1272	viboevohzhsulfiy.exe
1124	jgshfqsitqc.exe
240	jgshfqsitqc.exe
3980	yqogbxvtqdtawvdykkmec.exe
2736	wmiyrlhdyjxcwtzscaa.exe
2484	jaxoidaxtfuavtaufefw.exe
3760	viboevohzhsulfiy.exe
3916	yqogbxvtqdtawvdykkmec.exe
1744	lavkcvqlfpcgzvasby.exe
1556	wmiyrlhdyjxcwtzscaa.exe
948	jaxoidaxtfuavtaufefw.exe
4392	jgshfqsitqc.exe
3448	jgshfqsitqc.exe
652	jgshfqsitqc.exe
4936	jgshfqsitqc.exe
1584	wmiyrlhdyjxcwtzscaa.exe
4608	yqogbxvtqdtawvdykkmec.exe
3108	cqkyphbvoxjmezduc.exe
3880	viboevohzhsulfiy.exe
3728	jgshfqsitqc.exe
2824	jgshfqsitqc.exe
3868	yqogbxvtqdtawvdykkmec.exe
1284	cqkyphbvoxjmezduc.exe
2800	jgshfqsitqc.exe
3996	wmiyrlhdyjxcwtzscaa.exe
4296	wmiyrlhdyjxcwtzscaa.exe
1156	wmiyrlhdyjxcwtzscaa.exe
4704	jgshfqsitqc.exe
820	viboevohzhsulfiy.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	wakovdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	wakovdn.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nypaodulbhqqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqkyphbvoxjmezduc.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viboevohzhsulfiy.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwmwjxndsxfes = "yqogbxvtqdtawvdykkmec.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nypaodulbhqqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaxoidaxtfuavtaufefw.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "yqogbxvtqdtawvdykkmec.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcugvldvmtdeunp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "viboevohzhsulfiy.exe"	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwmwjxndsxfes = "viboevohzhsulfiy.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "jaxoidaxtfuavtaufefw.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "jaxoidaxtfuavtaufefw.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcugvldvmtdeunp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqogbxvtqdtawvdykkmec.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "viboevohzhsulfiy.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "viboevohzhsulfiy.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwlugtixlpwu = "yqogbxvtqdtawvdykkmec.exe"	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwlugtixlpwu = "wmiyrlhdyjxcwtzscaa.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcugvldvmtdeunp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavkcvqlfpcgzvasby.exe"	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwmwjxndsxfes = "wmiyrlhdyjxcwtzscaa.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "cqkyphbvoxjmezduc.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwlugtixlpwu = "wmiyrlhdyjxcwtzscaa.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nypaodulbhqqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viboevohzhsulfiy.exe ."	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwlugtixlpwu = "wmiyrlhdyjxcwtzscaa.exe"	jgshfqsitqc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwmwjxndsxfes = "jaxoidaxtfuavtaufefw.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcpwgrerdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqkyphbvoxjmezduc.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "lavkcvqlfpcgzvasby.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcugvldvmtdeunp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqogbxvtqdtawvdykkmec.exe"	wakovdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nypaodulbhqqfx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmiyrlhdyjxcwtzscaa.exe ."	wakovdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciuajtfrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqogbxvtqdtawvdykkmec.exe"	wakovdn.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jgshfqsitqc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jgshfqsitqc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wakovdn.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	whatismyip.everdot.org
15	www.showmyipaddress.com
22	whatismyipaddress.com
32	whatismyip.everdot.org
37	www.whatismyip.ca
39	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jaxoidaxtfuavtaufefw.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\lavkcvqlfpcgzvasby.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\pihawtsrpduczziersvong.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\cqkyphbvoxjmezduc.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\wmiyrlhdyjxcwtzscaa.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\jaxoidaxtfuavtaufefw.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\pihawtsrpduczziersvong.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\pihawtsrpduczziersvong.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\cqkyphbvoxjmezduc.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\jaxoidaxtfuavtaufefw.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe
File created	C:\Windows\SysWOW64\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\yqogbxvtqdtawvdykkmec.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\viboevohzhsulfiy.exe	wakovdn.exe
File created	C:\Windows\SysWOW64\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\yqogbxvtqdtawvdykkmec.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\wmiyrlhdyjxcwtzscaa.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\wmiyrlhdyjxcwtzscaa.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\pihawtsrpduczziersvong.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\wmiyrlhdyjxcwtzscaa.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\lavkcvqlfpcgzvasby.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\viboevohzhsulfiy.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\jaxoidaxtfuavtaufefw.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\yqogbxvtqdtawvdykkmec.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\lavkcvqlfpcgzvasby.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\viboevohzhsulfiy.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\lavkcvqlfpcgzvasby.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\viboevohzhsulfiy.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\cqkyphbvoxjmezduc.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\SysWOW64\yqogbxvtqdtawvdykkmec.exe	wakovdn.exe
File opened for modification	C:\Windows\SysWOW64\cqkyphbvoxjmezduc.exe	wakovdn.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe
File opened for modification	C:\Program Files (x86)\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File created	C:\Program Files (x86)\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File opened for modification	C:\Program Files (x86)\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wmiyrlhdyjxcwtzscaa.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\yqogbxvtqdtawvdykkmec.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\jaxoidaxtfuavtaufefw.exe	wakovdn.exe
File opened for modification	C:\Windows\lavkcvqlfpcgzvasby.exe	wakovdn.exe
File opened for modification	C:\Windows\lavkcvqlfpcgzvasby.exe	wakovdn.exe
File created	C:\Windows\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File created	C:\Windows\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe
File opened for modification	C:\Windows\wmiyrlhdyjxcwtzscaa.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\yqogbxvtqdtawvdykkmec.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\pihawtsrpduczziersvong.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\pihawtsrpduczziersvong.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\viboevohzhsulfiy.exe	wakovdn.exe
File opened for modification	C:\Windows\viboevohzhsulfiy.exe	wakovdn.exe
File opened for modification	C:\Windows\yqogbxvtqdtawvdykkmec.exe	wakovdn.exe
File opened for modification	C:\Windows\viboevohzhsulfiy.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\jaxoidaxtfuavtaufefw.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\yqogbxvtqdtawvdykkmec.exe	wakovdn.exe
File opened for modification	C:\Windows\pihawtsrpduczziersvong.exe	wakovdn.exe
File opened for modification	C:\Windows\cqkyphbvoxjmezduc.exe	wakovdn.exe
File opened for modification	C:\Windows\wmiyrlhdyjxcwtzscaa.exe	wakovdn.exe
File opened for modification	C:\Windows\cqkyphbvoxjmezduc.exe	wakovdn.exe
File opened for modification	C:\Windows\lavkcvqlfpcgzvasby.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\lavkcvqlfpcgzvasby.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\pihawtsrpduczziersvong.exe	wakovdn.exe
File opened for modification	C:\Windows\wmiyrlhdyjxcwtzscaa.exe	wakovdn.exe
File opened for modification	C:\Windows\cqkyphbvoxjmezduc.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\aycabdhlohdqsxlmeksqust.zdg	wakovdn.exe
File opened for modification	C:\Windows\nwlugtixlpwuhxwilcvetcobqftxecpfeq.kdm	wakovdn.exe
File opened for modification	C:\Windows\jaxoidaxtfuavtaufefw.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\jaxoidaxtfuavtaufefw.exe	wakovdn.exe
File opened for modification	C:\Windows\viboevohzhsulfiy.exe	jgshfqsitqc.exe
File opened for modification	C:\Windows\cqkyphbvoxjmezduc.exe	jgshfqsitqc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqkyphbvoxjmezduc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqkyphbvoxjmezduc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaxoidaxtfuavtaufefw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiyrlhdyjxcwtzscaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wakovdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaxoidaxtfuavtaufefw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiyrlhdyjxcwtzscaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lavkcvqlfpcgzvasby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaxoidaxtfuavtaufefw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaxoidaxtfuavtaufefw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqogbxvtqdtawvdykkmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqogbxvtqdtawvdykkmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiyrlhdyjxcwtzscaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lavkcvqlfpcgzvasby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viboevohzhsulfiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgshfqsitqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqkyphbvoxjmezduc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiyrlhdyjxcwtzscaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiyrlhdyjxcwtzscaa.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	wakovdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1596	2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	82
PID 2564 wrote to memory of 1596	2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	82
PID 2564 wrote to memory of 1596	2564	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	82
PID 4160 wrote to memory of 1716	4160	cmd.exe	85
PID 4160 wrote to memory of 1716	4160	cmd.exe	85
PID 4160 wrote to memory of 1716	4160	cmd.exe	85
PID 3012 wrote to memory of 4468	3012	cmd.exe	88
PID 3012 wrote to memory of 4468	3012	cmd.exe	88
PID 3012 wrote to memory of 4468	3012	cmd.exe	88
PID 4468 wrote to memory of 2512	4468	jaxoidaxtfuavtaufefw.exe	91
PID 4468 wrote to memory of 2512	4468	jaxoidaxtfuavtaufefw.exe	91
PID 4468 wrote to memory of 2512	4468	jaxoidaxtfuavtaufefw.exe	91
PID 216 wrote to memory of 2736	216	cmd.exe	144
PID 216 wrote to memory of 2736	216	cmd.exe	144
PID 216 wrote to memory of 2736	216	cmd.exe	144
PID 2656 wrote to memory of 3340	2656	cmd.exe	97
PID 2656 wrote to memory of 3340	2656	cmd.exe	97
PID 2656 wrote to memory of 3340	2656	cmd.exe	97
PID 1320 wrote to memory of 1440	1320	cmd.exe	102
PID 1320 wrote to memory of 1440	1320	cmd.exe	102
PID 1320 wrote to memory of 1440	1320	cmd.exe	102
PID 3340 wrote to memory of 3560	3340	yqogbxvtqdtawvdykkmec.exe	103
PID 3340 wrote to memory of 3560	3340	yqogbxvtqdtawvdykkmec.exe	103
PID 3340 wrote to memory of 3560	3340	yqogbxvtqdtawvdykkmec.exe	103
PID 3320 wrote to memory of 3432	3320	cmd.exe	104
PID 3320 wrote to memory of 3432	3320	cmd.exe	104
PID 3320 wrote to memory of 3432	3320	cmd.exe	104
PID 4492 wrote to memory of 740	4492	cmd.exe	109
PID 4492 wrote to memory of 740	4492	cmd.exe	109
PID 4492 wrote to memory of 740	4492	cmd.exe	109
PID 3432 wrote to memory of 1012	3432	cqkyphbvoxjmezduc.exe	159
PID 3432 wrote to memory of 1012	3432	cqkyphbvoxjmezduc.exe	159
PID 3432 wrote to memory of 1012	3432	cqkyphbvoxjmezduc.exe	159
PID 3040 wrote to memory of 1680	3040	cmd.exe	111
PID 3040 wrote to memory of 1680	3040	cmd.exe	111
PID 3040 wrote to memory of 1680	3040	cmd.exe	111
PID 1680 wrote to memory of 4876	1680	wmiyrlhdyjxcwtzscaa.exe	275
PID 1680 wrote to memory of 4876	1680	wmiyrlhdyjxcwtzscaa.exe	275
PID 1680 wrote to memory of 4876	1680	wmiyrlhdyjxcwtzscaa.exe	275
PID 1596 wrote to memory of 3328	1596	jgshfqsitqc.exe	115
PID 1596 wrote to memory of 3328	1596	jgshfqsitqc.exe	115
PID 1596 wrote to memory of 3328	1596	jgshfqsitqc.exe	115
PID 1596 wrote to memory of 1808	1596	jgshfqsitqc.exe	116
PID 1596 wrote to memory of 1808	1596	jgshfqsitqc.exe	116
PID 1596 wrote to memory of 1808	1596	jgshfqsitqc.exe	116
PID 4016 wrote to memory of 4756	4016	cmd.exe	121
PID 4016 wrote to memory of 4756	4016	cmd.exe	121
PID 4016 wrote to memory of 4756	4016	cmd.exe	121
PID 1104 wrote to memory of 1584	1104	cmd.exe	268
PID 1104 wrote to memory of 1584	1104	cmd.exe	268
PID 1104 wrote to memory of 1584	1104	cmd.exe	268
PID 4664 wrote to memory of 4488	4664	cmd.exe	295
PID 4664 wrote to memory of 4488	4664	cmd.exe	295
PID 4664 wrote to memory of 4488	4664	cmd.exe	295
PID 3288 wrote to memory of 1272	3288	cmd.exe	128
PID 3288 wrote to memory of 1272	3288	cmd.exe	128
PID 3288 wrote to memory of 1272	3288	cmd.exe	128
PID 1272 wrote to memory of 1124	1272	viboevohzhsulfiy.exe	178
PID 1272 wrote to memory of 1124	1272	viboevohzhsulfiy.exe	178
PID 1272 wrote to memory of 1124	1272	viboevohzhsulfiy.exe	178
PID 4488 wrote to memory of 240	4488	viboevohzhsulfiy.exe	321
PID 4488 wrote to memory of 240	4488	viboevohzhsulfiy.exe	321
PID 4488 wrote to memory of 240	4488	viboevohzhsulfiy.exe	321
PID 4828 wrote to memory of 3980	4828	cmd.exe	241

System policy modification 1 TTPs 34 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jgshfqsitqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wakovdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wakovdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgshfqsitqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wakovdn.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
  "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\wakovdn.exe
    "C:\Users\Admin\AppData\Local\Temp\wakovdn.exe" "-C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3328
- - C:\Users\Admin\AppData\Local\Temp\wakovdn.exe
    "C:\Users\Admin\AppData\Local\Temp\wakovdn.exe" "-C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    - Executes dropped EXE
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\cqkyphbvoxjmezduc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    - Executes dropped EXE
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\viboevohzhsulfiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\viboevohzhsulfiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:4832
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:1120
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe .
1⤵
PID:1052
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\viboevohzhsulfiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  2⤵
  - Executes dropped EXE
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:2100
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    - Executes dropped EXE
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\cqkyphbvoxjmezduc.exe*."
    3⤵
    - Executes dropped EXE
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:3112
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  - Executes dropped EXE
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe .
1⤵
PID:4784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1124
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\cqkyphbvoxjmezduc.exe*."
    3⤵
    - Executes dropped EXE
    PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:4556
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:3016
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    - Executes dropped EXE
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:1000
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe
1⤵
PID:1052
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe
1⤵
PID:2152
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4668
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe .
1⤵
PID:3256
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:4812
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:4068
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:1104
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:5008
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:2824
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  2⤵
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:2184
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:344
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
1⤵
PID:2280
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:892
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:1404
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:2480
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:3252
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe .
1⤵
PID:4488
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\cqkyphbvoxjmezduc.exe*."
    3⤵
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  2⤵
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:448
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:948
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:240
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe
1⤵
PID:540
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:3284
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4392
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  2⤵
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe
1⤵
PID:4532
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:1604
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe
1⤵
PID:2404
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:3272
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
  2⤵
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\cqkyphbvoxjmezduc.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe
1⤵
PID:2992
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe .
1⤵
PID:4804
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe .
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\viboevohzhsulfiy.exe*."
    3⤵
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:4320
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:1988
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:1628
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe
1⤵
PID:2656
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe .
1⤵
PID:3984
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3964
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4816
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\cqkyphbvoxjmezduc.exe*."
    3⤵
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:2868
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:1452
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe
1⤵
PID:660
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe .
1⤵
PID:5044
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe .
  2⤵
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\cqkyphbvoxjmezduc.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqkyphbvoxjmezduc.exe
1⤵
PID:1732
- C:\Windows\cqkyphbvoxjmezduc.exe
  cqkyphbvoxjmezduc.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:4160
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4756
- C:\Windows\jaxoidaxtfuavtaufefw.exe
  jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe .
1⤵
PID:384
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe .
  2⤵
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\viboevohzhsulfiy.exe*."
    3⤵
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:2724
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe .
  2⤵
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\cqkyphbvoxjmezduc.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:3460
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:3928
- C:\Windows\wmiyrlhdyjxcwtzscaa.exe
  wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe .
1⤵
PID:1932
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  C:\Users\Admin\AppData\Local\Temp\cqkyphbvoxjmezduc.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe
  C:\Users\Admin\AppData\Local\Temp\yqogbxvtqdtawvdykkmec.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\yqogbxvtqdtawvdykkmec.exe*."
    3⤵
    PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe .
  2⤵
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\jaxoidaxtfuavtaufefw.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe
  C:\Users\Admin\AppData\Local\Temp\viboevohzhsulfiy.exe .
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\viboevohzhsulfiy.exe*."
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqogbxvtqdtawvdykkmec.exe
1⤵
PID:1868
- C:\Windows\yqogbxvtqdtawvdykkmec.exe
  yqogbxvtqdtawvdykkmec.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe .
1⤵
PID:856
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viboevohzhsulfiy.exe
1⤵
PID:4284
- C:\Windows\viboevohzhsulfiy.exe
  viboevohzhsulfiy.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lavkcvqlfpcgzvasby.exe .
1⤵
PID:1424
- C:\Windows\lavkcvqlfpcgzvasby.exe
  lavkcvqlfpcgzvasby.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\windows\lavkcvqlfpcgzvasby.exe*."
    3⤵
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  C:\Users\Admin\AppData\Local\Temp\jaxoidaxtfuavtaufefw.exe
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
1⤵
PID:1812
- C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe
  C:\Users\Admin\AppData\Local\Temp\wmiyrlhdyjxcwtzscaa.exe .
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe
    "C:\Users\Admin\AppData\Local\Temp\jgshfqsitqc.exe" "c:\users\admin\appdata\local\temp\wmiyrlhdyjxcwtzscaa.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lavkcvqlfpcgzvasby.exe .
1⤵
PID:3160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3906055 /state1:0x41c64e6d
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry