pykspa | fee5238781445c4ab42965493f89ed336d233e263a2f8e48e18d41cb429c26ac

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	myjtkkdhwit.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 29 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000f000000022edf-4.dat	family_pykspa
behavioral2/files/0x000b0000000240a0-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "dtrikaysjfwsnhisvjrhf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "qdymlytkyrfyqhfmmx.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "odaqrgdwmhxsmffoqdkz.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddlmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qteixals = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddlmy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddlmy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	myjtkkdhwit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	qdymlytkyrfyqhfmmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	dtrikaysjfwsnhisvjrhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	htnaykeuhzmevlion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bplaaokcrlaunfemnzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	aleqnyrgsjvmcrns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	odaqrgdwmhxsmffoqdkz.exe

Executes dropped EXE 64 IoCs

pid	Process
2964	myjtkkdhwit.exe
4912	dtrikaysjfwsnhisvjrhf.exe
1944	bplaaokcrlaunfemnzf.exe
4824	myjtkkdhwit.exe
4892	aleqnyrgsjvmcrns.exe
5884	aleqnyrgsjvmcrns.exe
5368	aleqnyrgsjvmcrns.exe
2860	myjtkkdhwit.exe
4840	aleqnyrgsjvmcrns.exe
5656	myjtkkdhwit.exe
2792	qdymlytkyrfyqhfmmx.exe
1076	qdymlytkyrfyqhfmmx.exe
3488	myjtkkdhwit.exe
2700	ddlmy.exe
5576	ddlmy.exe
1956	bplaaokcrlaunfemnzf.exe
6068	dtrikaysjfwsnhisvjrhf.exe
1032	dtrikaysjfwsnhisvjrhf.exe
4336	myjtkkdhwit.exe
1732	bplaaokcrlaunfemnzf.exe
3580	odaqrgdwmhxsmffoqdkz.exe
2996	myjtkkdhwit.exe
1128	aleqnyrgsjvmcrns.exe
1228	dtrikaysjfwsnhisvjrhf.exe
4492	dtrikaysjfwsnhisvjrhf.exe
4828	qdymlytkyrfyqhfmmx.exe
2492	myjtkkdhwit.exe
4832	bplaaokcrlaunfemnzf.exe
5372	bplaaokcrlaunfemnzf.exe
3032	dtrikaysjfwsnhisvjrhf.exe
2232	odaqrgdwmhxsmffoqdkz.exe
2860	myjtkkdhwit.exe
5308	myjtkkdhwit.exe
4840	bplaaokcrlaunfemnzf.exe
2336	odaqrgdwmhxsmffoqdkz.exe
5656	myjtkkdhwit.exe
3504	qdymlytkyrfyqhfmmx.exe
6052	myjtkkdhwit.exe
3620	bplaaokcrlaunfemnzf.exe
5244	myjtkkdhwit.exe
5188	dtrikaysjfwsnhisvjrhf.exe
5280	myjtkkdhwit.exe
4584	aleqnyrgsjvmcrns.exe
1040	bplaaokcrlaunfemnzf.exe
984	odaqrgdwmhxsmffoqdkz.exe
5744	myjtkkdhwit.exe
2116	bplaaokcrlaunfemnzf.exe
3452	myjtkkdhwit.exe
5952	htnaykeuhzmevlion.exe
4004	odaqrgdwmhxsmffoqdkz.exe
5248	myjtkkdhwit.exe
5032	bplaaokcrlaunfemnzf.exe
4632	bplaaokcrlaunfemnzf.exe
4804	bplaaokcrlaunfemnzf.exe
5620	myjtkkdhwit.exe
4532	aleqnyrgsjvmcrns.exe
2328	htnaykeuhzmevlion.exe
3692	aleqnyrgsjvmcrns.exe
4692	myjtkkdhwit.exe
4868	odaqrgdwmhxsmffoqdkz.exe
4780	qdymlytkyrfyqhfmmx.exe
4904	myjtkkdhwit.exe
4460	myjtkkdhwit.exe
3828	dtrikaysjfwsnhisvjrhf.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ddlmy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ddlmy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ddlmy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ddlmy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ddlmy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ddlmy.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "htnaykeuhzmevlion.exe"	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "aleqnyrgsjvmcrns.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "htnaykeuhzmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "bplaaokcrlaunfemnzf.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrikaysjfwsnhisvjrhf.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "qdymlytkyrfyqhfmmx.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afsypuhqwh = "dtrikaysjfwsnhisvjrhf.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "bplaaokcrlaunfemnzf.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "aleqnyrgsjvmcrns.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpwouiszls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdymlytkyrfyqhfmmx.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplaaokcrlaunfemnzf.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "odaqrgdwmhxsmffoqdkz.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "bplaaokcrlaunfemnzf.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "bplaaokcrlaunfemnzf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlxcswiqv = "dtrikaysjfwsnhisvjrhf.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szowpwlwerzm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htnaykeuhzmevlion.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opyano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odaqrgdwmhxsmffoqdkz.exe"	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "odaqrgdwmhxsmffoqdkz.exe ."	ddlmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opyano = "qdymlytkyrfyqhfmmx.exe"	myjtkkdhwit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdnqegq = "aleqnyrgsjvmcrns.exe ."	myjtkkdhwit.exe

Checks whether UAC is enabled 1 TTPs 40 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddlmy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	myjtkkdhwit.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ddlmy.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	whatismyipaddress.com
32	whatismyip.everdot.org
37	www.showmyipaddress.com
42	www.whatismyip.ca
48	www.whatismyip.ca
49	whatismyip.everdot.org
66	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ezcyfadcyzvwwvbqyrezcy.adc	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\htnaykeuhzmevlion.exe	ddlmy.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\SysWOW64\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vbpwouiszlsepzqqjnlrfmekyipbiufpg.zdb	ddlmy.exe
File created	C:\Program Files (x86)\vbpwouiszlsepzqqjnlrfmekyipbiufpg.zdb	ddlmy.exe
File opened for modification	C:\Program Files (x86)\ezcyfadcyzvwwvbqyrezcy.adc	ddlmy.exe
File created	C:\Program Files (x86)\ezcyfadcyzvwwvbqyrezcy.adc	ddlmy.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	ddlmy.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	ddlmy.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	ddlmy.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	ddlmy.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	ddlmy.exe
File opened for modification	C:\Windows\qdymlytkyrfyqhfmmx.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\dtrikaysjfwsnhisvjrhf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\bplaaokcrlaunfemnzf.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\htnaykeuhzmevlion.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\odaqrgdwmhxsmffoqdkz.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\ulkcfwvqifxuqlnycrarqi.exe	myjtkkdhwit.exe
File opened for modification	C:\Windows\aleqnyrgsjvmcrns.exe	ddlmy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddlmy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odaqrgdwmhxsmffoqdkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplaaokcrlaunfemnzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdymlytkyrfyqhfmmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtrikaysjfwsnhisvjrhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aleqnyrgsjvmcrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htnaykeuhzmevlion.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
2700	ddlmy.exe
2700	ddlmy.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
2700	ddlmy.exe
2700	ddlmy.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	ddlmy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5792 wrote to memory of 2964	5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe	88
PID 5792 wrote to memory of 2964	5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe	88
PID 5792 wrote to memory of 2964	5792	JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe	88
PID 4668 wrote to memory of 4912	4668	cmd.exe	93
PID 4668 wrote to memory of 4912	4668	cmd.exe	93
PID 4668 wrote to memory of 4912	4668	cmd.exe	93
PID 5756 wrote to memory of 1944	5756	cmd.exe	96
PID 5756 wrote to memory of 1944	5756	cmd.exe	96
PID 5756 wrote to memory of 1944	5756	cmd.exe	96
PID 1944 wrote to memory of 4824	1944	bplaaokcrlaunfemnzf.exe	97
PID 1944 wrote to memory of 4824	1944	bplaaokcrlaunfemnzf.exe	97
PID 1944 wrote to memory of 4824	1944	bplaaokcrlaunfemnzf.exe	97
PID 4836 wrote to memory of 4892	4836	cmd.exe	102
PID 4836 wrote to memory of 4892	4836	cmd.exe	102
PID 4836 wrote to memory of 4892	4836	cmd.exe	102
PID 5352 wrote to memory of 5884	5352	cmd.exe	105
PID 5352 wrote to memory of 5884	5352	cmd.exe	105
PID 5352 wrote to memory of 5884	5352	cmd.exe	105
PID 2960 wrote to memory of 5368	2960	cmd.exe	108
PID 2960 wrote to memory of 5368	2960	cmd.exe	108
PID 2960 wrote to memory of 5368	2960	cmd.exe	108
PID 5884 wrote to memory of 2860	5884	aleqnyrgsjvmcrns.exe	172
PID 5884 wrote to memory of 2860	5884	aleqnyrgsjvmcrns.exe	172
PID 5884 wrote to memory of 2860	5884	aleqnyrgsjvmcrns.exe	172
PID 536 wrote to memory of 4840	536	cmd.exe	174
PID 536 wrote to memory of 4840	536	cmd.exe	174
PID 536 wrote to memory of 4840	536	cmd.exe	174
PID 4840 wrote to memory of 5656	4840	aleqnyrgsjvmcrns.exe	176
PID 4840 wrote to memory of 5656	4840	aleqnyrgsjvmcrns.exe	176
PID 4840 wrote to memory of 5656	4840	aleqnyrgsjvmcrns.exe	176
PID 2824 wrote to memory of 2792	2824	cmd.exe	177
PID 2824 wrote to memory of 2792	2824	cmd.exe	177
PID 2824 wrote to memory of 2792	2824	cmd.exe	177
PID 3652 wrote to memory of 1076	3652	cmd.exe	119
PID 3652 wrote to memory of 1076	3652	cmd.exe	119
PID 3652 wrote to memory of 1076	3652	cmd.exe	119
PID 1076 wrote to memory of 3488	1076	qdymlytkyrfyqhfmmx.exe	120
PID 1076 wrote to memory of 3488	1076	qdymlytkyrfyqhfmmx.exe	120
PID 1076 wrote to memory of 3488	1076	qdymlytkyrfyqhfmmx.exe	120
PID 2964 wrote to memory of 2700	2964	myjtkkdhwit.exe	121
PID 2964 wrote to memory of 2700	2964	myjtkkdhwit.exe	121
PID 2964 wrote to memory of 2700	2964	myjtkkdhwit.exe	121
PID 2964 wrote to memory of 5576	2964	myjtkkdhwit.exe	122
PID 2964 wrote to memory of 5576	2964	myjtkkdhwit.exe	122
PID 2964 wrote to memory of 5576	2964	myjtkkdhwit.exe	122
PID 2372 wrote to memory of 1956	2372	cmd.exe	279
PID 2372 wrote to memory of 1956	2372	cmd.exe	279
PID 2372 wrote to memory of 1956	2372	cmd.exe	279
PID 1004 wrote to memory of 6068	1004	cmd.exe	130
PID 1004 wrote to memory of 6068	1004	cmd.exe	130
PID 1004 wrote to memory of 6068	1004	cmd.exe	130
PID 4400 wrote to memory of 1032	4400	cmd.exe	131
PID 4400 wrote to memory of 1032	4400	cmd.exe	131
PID 4400 wrote to memory of 1032	4400	cmd.exe	131
PID 1032 wrote to memory of 4336	1032	dtrikaysjfwsnhisvjrhf.exe	136
PID 1032 wrote to memory of 4336	1032	dtrikaysjfwsnhisvjrhf.exe	136
PID 1032 wrote to memory of 4336	1032	dtrikaysjfwsnhisvjrhf.exe	136
PID 4016 wrote to memory of 1732	4016	cmd.exe	137
PID 4016 wrote to memory of 1732	4016	cmd.exe	137
PID 4016 wrote to memory of 1732	4016	cmd.exe	137
PID 5600 wrote to memory of 3580	5600	cmd.exe	142
PID 5600 wrote to memory of 3580	5600	cmd.exe	142
PID 5600 wrote to memory of 3580	5600	cmd.exe	142
PID 1732 wrote to memory of 2996	1732	bplaaokcrlaunfemnzf.exe	150

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddlmy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ddlmy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	myjtkkdhwit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	myjtkkdhwit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	myjtkkdhwit.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5792
- C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
  "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8b35c3401f106b86f1ef0d5b0dda2138.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\ddlmy.exe
    "C:\Users\Admin\AppData\Local\Temp\ddlmy.exe" "-C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\ddlmy.exe
    "C:\Users\Admin\AppData\Local\Temp\ddlmy.exe" "-C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  - Executes dropped EXE
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5756
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5352
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  - Executes dropped EXE
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  - Executes dropped EXE
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5600
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:3680
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:4516
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:1792
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  - Executes dropped EXE
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Executes dropped EXE
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  - Executes dropped EXE
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:2792
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5692
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:5216
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:4264
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  - Executes dropped EXE
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:616
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  - Executes dropped EXE
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:4492
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:4796
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  - Executes dropped EXE
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:4964
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:3376
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:3668
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:5368
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Executes dropped EXE
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5520
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4424
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  - Executes dropped EXE
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:5988
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:4756
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:3204
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:2500
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:8
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:220
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:2128
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2232
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5584
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:1560
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5212
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:4220
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2956
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:4016
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:1244
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:2020
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:732
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:3744
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:5028
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:6036
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:448
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:2704
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:2516
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:2032
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5324
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5280
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:5244
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:4664
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:1460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:4528
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5348
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:3488
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4552
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:504
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:1280
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:3376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:452
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4508
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:5520
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:3668
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:2372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2116
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5308
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:2856
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:2408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2292
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:3284
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:2500
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:1840
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5548
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:3136
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4620
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:3504
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:5236
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:4004
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:2664
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:2956
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:2208
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:2456
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5776
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:1032
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:2464
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:3528
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:1676
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:1188
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3040
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:1628
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:1264
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:2984
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6004
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:2024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5628
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:6060
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5952
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5288
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2860
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:688
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4824
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:3428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:2164
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:6036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2664
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:4536
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5420
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:4400
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:6060
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:3968
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:1112
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:3356
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5232
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5044
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:1676
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  - Checks computer location settings
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:4748
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:4684
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:5520
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:1040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5752
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4020
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  - Checks computer location settings
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2948
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  - Checks computer location settings
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:1808
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:2824
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5212
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5648
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:6052

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:4092
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4264
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:4852
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:3828
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:5572
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:4928
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5748
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4840
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:5204
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:2956
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:4720
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:1448
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4036
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:424
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe
1⤵
PID:5260
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5368
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:1016
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4676
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:996
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:3288
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:828
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:2648
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:5496
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4680
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:616
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:2116
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2204
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:1396
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:3008
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:5264
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5432
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:6004
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:4404
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5396
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:6024
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:1560
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:1892
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:1712
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:2464
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:6036
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:4028
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:2164
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:3364
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:1040
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:1680
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:6068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4360
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5712
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:2408
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:392
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:3408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4696
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:1076
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:3204
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:2204
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:2276
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:1528
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:5628
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:6124
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:2068
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2500
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:4380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:5704
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:5496
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:4868
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:1072
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4716
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:1712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:3136
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2232
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:3944
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5264
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:380
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5768
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:5032
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:1136
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:3820
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:5560
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4316
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:112
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:3624
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5900
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:5976
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:3060
- C:\Windows\odaqrgdwmhxsmffoqdkz.exe
  odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5240
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:8
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2328
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:3416
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:4008
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:5176
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5980
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:3104
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:4172
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:4680
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4820
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:5640
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
  C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:224
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:864
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4904
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:4628
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\aleqnyrgsjvmcrns.exe*."
    3⤵
    PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
1⤵
PID:5580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
  C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\htnaykeuhzmevlion.exe*."
    3⤵
    PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:2968
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:756
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2948
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5500
- C:\Windows\qdymlytkyrfyqhfmmx.exe
  qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  C:\Users\Admin\AppData\Local\Temp\aleqnyrgsjvmcrns.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5524
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:4944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3668
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:4000
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\htnaykeuhzmevlion.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5484
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:5756
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  C:\Users\Admin\AppData\Local\Temp\bplaaokcrlaunfemnzf.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe
  C:\Users\Admin\AppData\Local\Temp\qdymlytkyrfyqhfmmx.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\qdymlytkyrfyqhfmmx.exe*."
    3⤵
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
  C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\odaqrgdwmhxsmffoqdkz.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe
1⤵
PID:2340
- C:\Windows\htnaykeuhzmevlion.exe
  htnaykeuhzmevlion.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe .
1⤵
PID:2844
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe .
  2⤵
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\dtrikaysjfwsnhisvjrhf.exe*."
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:3708
- C:\Windows\aleqnyrgsjvmcrns.exe
  aleqnyrgsjvmcrns.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:2204
- C:\Windows\dtrikaysjfwsnhisvjrhf.exe
  dtrikaysjfwsnhisvjrhf.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe .
1⤵
PID:856
- C:\Windows\bplaaokcrlaunfemnzf.exe
  bplaaokcrlaunfemnzf.exe .
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe
    "C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\bplaaokcrlaunfemnzf.exe*."
    3⤵
    PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bplaaokcrlaunfemnzf.exe
1⤵
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe .
1⤵
PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe .
1⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htnaykeuhzmevlion.exe .
1⤵
PID:3528
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htnaykeuhzmevlion.exe
1⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aleqnyrgsjvmcrns.exe
1⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odaqrgdwmhxsmffoqdkz.exe .
1⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odaqrgdwmhxsmffoqdkz.exe
1⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtrikaysjfwsnhisvjrhf.exe
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry