pykspa | fef766aad31029b9fa7a34197dac3e35e0526d9b18e68e02579961117b42cf8f

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 37 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wearswdegok.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000a00000002334d-4.dat	family_pykspa
behavioral2/files/0x0007000000024257-85.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "zsqcyoyvmftvszjwd.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "gcdsrkxxrnejjtgwgief.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "icbolcnldxmpnvgucc.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "vsukkestoldjkvjalolnd.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "skhsnclhxpcdzfoa.exe"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kyrypafxjxgd = "skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zkaesacra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
46	3584	Process not Found
51	3584	Process not Found
58	3584	Process not Found
73	3584	Process not Found
78	3584	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcqsekk.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	wearswdegok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	toocasedwrhlktfudez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	icbolcnldxmpnvgucc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	gcdsrkxxrnejjtgwgief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	vsukkestoldjkvjalolnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	skhsnclhxpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zsqcyoyvmftvszjwd.exe

Executes dropped EXE 64 IoCs

pid	Process
1544	wearswdegok.exe
5916	skhsnclhxpcdzfoa.exe
536	gcdsrkxxrnejjtgwgief.exe
1456	wearswdegok.exe
840	gcdsrkxxrnejjtgwgief.exe
2928	zsqcyoyvmftvszjwd.exe
1988	vsukkestoldjkvjalolnd.exe
5580	wearswdegok.exe
4908	gcdsrkxxrnejjtgwgief.exe
4776	wearswdegok.exe
6128	skhsnclhxpcdzfoa.exe
3812	toocasedwrhlktfudez.exe
3908	wearswdegok.exe
5416	tcqsekk.exe
5648	tcqsekk.exe
2440	vsukkestoldjkvjalolnd.exe
4988	vsukkestoldjkvjalolnd.exe
4080	toocasedwrhlktfudez.exe
6092	wearswdegok.exe
5392	zsqcyoyvmftvszjwd.exe
916	icbolcnldxmpnvgucc.exe
2880	gcdsrkxxrnejjtgwgief.exe
1508	wearswdegok.exe
4668	zsqcyoyvmftvszjwd.exe
4784	gcdsrkxxrnejjtgwgief.exe
3540	wearswdegok.exe
1564	gcdsrkxxrnejjtgwgief.exe
2928	toocasedwrhlktfudez.exe
1164	zsqcyoyvmftvszjwd.exe
4172	icbolcnldxmpnvgucc.exe
5792	skhsnclhxpcdzfoa.exe
2600	vsukkestoldjkvjalolnd.exe
4112	wearswdegok.exe
5748	wearswdegok.exe
6128	icbolcnldxmpnvgucc.exe
2768	wearswdegok.exe
832	gcdsrkxxrnejjtgwgief.exe
5800	skhsnclhxpcdzfoa.exe
4688	wearswdegok.exe
2644	wearswdegok.exe
5492	skhsnclhxpcdzfoa.exe
4924	vsukkestoldjkvjalolnd.exe
1948	zsqcyoyvmftvszjwd.exe
5896	zsqcyoyvmftvszjwd.exe
1920	wearswdegok.exe
4208	wearswdegok.exe
5220	toocasedwrhlktfudez.exe
1668	skhsnclhxpcdzfoa.exe
5392	wearswdegok.exe
5860	skhsnclhxpcdzfoa.exe
1624	wearswdegok.exe
4280	vsukkestoldjkvjalolnd.exe
2416	toocasedwrhlktfudez.exe
1140	wearswdegok.exe
6136	skhsnclhxpcdzfoa.exe
840	zsqcyoyvmftvszjwd.exe
1572	toocasedwrhlktfudez.exe
4320	zsqcyoyvmftvszjwd.exe
5880	toocasedwrhlktfudez.exe
4436	gcdsrkxxrnejjtgwgief.exe
1164	wearswdegok.exe
4800	toocasedwrhlktfudez.exe
1804	wearswdegok.exe
5484	wearswdegok.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	tcqsekk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	tcqsekk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	tcqsekk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	tcqsekk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	tcqsekk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	tcqsekk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "icbolcnldxmpnvgucc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "icbolcnldxmpnvgucc.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "gcdsrkxxrnejjtgwgief.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "zsqcyoyvmftvszjwd.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "icbolcnldxmpnvgucc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "skhsnclhxpcdzfoa.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "skhsnclhxpcdzfoa.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "gcdsrkxxrnejjtgwgief.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "toocasedwrhlktfudez.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe ."	tcqsekk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skhsnclhxpcdzfoa.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toocasedwrhlktfudez.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kavexkrlzpaztx = "icbolcnldxmpnvgucc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "vsukkestoldjkvjalolnd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neakesavkbnninv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icbolcnldxmpnvgucc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nasyoycterz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcdsrkxxrnejjtgwgief.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skhsnclhxpcdzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsqcyoyvmftvszjwd.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sevapybrbn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsukkestoldjkvjalolnd.exe"	tcqsekk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jysasekdqfpng = "icbolcnldxmpnvgucc.exe"	tcqsekk.exe

Checks whether UAC is enabled 1 TTPs 56 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcqsekk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcqsekk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	tcqsekk.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	www.showmyipaddress.com
27	whatismyip.everdot.org
28	whatismyipaddress.com
36	www.whatismyip.ca
37	whatismyip.everdot.org
39	www.whatismyip.ca
40	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tcqsekk.exe
File created	C:\autorun.inf	tcqsekk.exe
File opened for modification	F:\autorun.inf	tcqsekk.exe
File created	F:\autorun.inf	tcqsekk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	tcqsekk.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	tcqsekk.exe
File created	C:\Windows\SysWOW64\kavexkrlzpaztxeosoezibovpdtedxbiswsi.mfs	tcqsekk.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	tcqsekk.exe
File opened for modification	C:\Windows\SysWOW64\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\gcdsrkxxrnejjtgwgief.exe	tcqsekk.exe
File opened for modification	C:\Windows\SysWOW64\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\icbolcnldxmpnvgucc.exe	wearswdegok.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fkusacyhkppdmfbatejtrzbxg.ooc	tcqsekk.exe
File created	C:\Program Files (x86)\fkusacyhkppdmfbatejtrzbxg.ooc	tcqsekk.exe
File opened for modification	C:\Program Files (x86)\kavexkrlzpaztxeosoezibovpdtedxbiswsi.mfs	tcqsekk.exe
File created	C:\Program Files (x86)\kavexkrlzpaztxeosoezibovpdtedxbiswsi.mfs	tcqsekk.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	tcqsekk.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	tcqsekk.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	tcqsekk.exe
File opened for modification	C:\Windows\kavexkrlzpaztxeosoezibovpdtedxbiswsi.mfs	tcqsekk.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	tcqsekk.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	tcqsekk.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\vsukkestoldjkvjalolnd.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	tcqsekk.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	tcqsekk.exe
File opened for modification	C:\Windows\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\zsqcyoyvmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\gcdsrkxxrnejjtgwgief.exe	wearswdegok.exe
File opened for modification	C:\Windows\mknefaprnlelnzogswuxop.exe	wearswdegok.exe
File opened for modification	C:\Windows\toocasedwrhlktfudez.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	wearswdegok.exe
File opened for modification	C:\Windows\icbolcnldxmpnvgucc.exe	tcqsekk.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\skhsnclhxpcdzfoa.exe	wearswdegok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcqsekk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icbolcnldxmpnvgucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsukkestoldjkvjalolnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcdsrkxxrnejjtgwgief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toocasedwrhlktfudez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skhsnclhxpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsqcyoyvmftvszjwd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5416	tcqsekk.exe
5416	tcqsekk.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5416	tcqsekk.exe
5416	tcqsekk.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5416	tcqsekk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5968 wrote to memory of 1544	5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe	89
PID 5968 wrote to memory of 1544	5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe	89
PID 5968 wrote to memory of 1544	5968	JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe	89
PID 1568 wrote to memory of 5916	1568	cmd.exe	92
PID 1568 wrote to memory of 5916	1568	cmd.exe	92
PID 1568 wrote to memory of 5916	1568	cmd.exe	92
PID 1564 wrote to memory of 536	1564	cmd.exe	95
PID 1564 wrote to memory of 536	1564	cmd.exe	95
PID 1564 wrote to memory of 536	1564	cmd.exe	95
PID 536 wrote to memory of 1456	536	gcdsrkxxrnejjtgwgief.exe	98
PID 536 wrote to memory of 1456	536	gcdsrkxxrnejjtgwgief.exe	98
PID 536 wrote to memory of 1456	536	gcdsrkxxrnejjtgwgief.exe	98
PID 2388 wrote to memory of 840	2388	cmd.exe	100
PID 2388 wrote to memory of 840	2388	cmd.exe	100
PID 2388 wrote to memory of 840	2388	cmd.exe	100
PID 2868 wrote to memory of 2928	2868	cmd.exe	104
PID 2868 wrote to memory of 2928	2868	cmd.exe	104
PID 2868 wrote to memory of 2928	2868	cmd.exe	104
PID 3636 wrote to memory of 1988	3636	cmd.exe	107
PID 3636 wrote to memory of 1988	3636	cmd.exe	107
PID 3636 wrote to memory of 1988	3636	cmd.exe	107
PID 2928 wrote to memory of 5580	2928	zsqcyoyvmftvszjwd.exe	108
PID 2928 wrote to memory of 5580	2928	zsqcyoyvmftvszjwd.exe	108
PID 2928 wrote to memory of 5580	2928	zsqcyoyvmftvszjwd.exe	108
PID 5776 wrote to memory of 4908	5776	cmd.exe	109
PID 5776 wrote to memory of 4908	5776	cmd.exe	109
PID 5776 wrote to memory of 4908	5776	cmd.exe	109
PID 4908 wrote to memory of 4776	4908	gcdsrkxxrnejjtgwgief.exe	112
PID 4908 wrote to memory of 4776	4908	gcdsrkxxrnejjtgwgief.exe	112
PID 4908 wrote to memory of 4776	4908	gcdsrkxxrnejjtgwgief.exe	112
PID 6052 wrote to memory of 6128	6052	cmd.exe	177
PID 6052 wrote to memory of 6128	6052	cmd.exe	177
PID 6052 wrote to memory of 6128	6052	cmd.exe	177
PID 5760 wrote to memory of 3812	5760	cmd.exe	116
PID 5760 wrote to memory of 3812	5760	cmd.exe	116
PID 5760 wrote to memory of 3812	5760	cmd.exe	116
PID 3812 wrote to memory of 3908	3812	toocasedwrhlktfudez.exe	119
PID 3812 wrote to memory of 3908	3812	toocasedwrhlktfudez.exe	119
PID 3812 wrote to memory of 3908	3812	toocasedwrhlktfudez.exe	119
PID 1544 wrote to memory of 5416	1544	wearswdegok.exe	120
PID 1544 wrote to memory of 5416	1544	wearswdegok.exe	120
PID 1544 wrote to memory of 5416	1544	wearswdegok.exe	120
PID 1544 wrote to memory of 5648	1544	wearswdegok.exe	121
PID 1544 wrote to memory of 5648	1544	wearswdegok.exe	121
PID 1544 wrote to memory of 5648	1544	wearswdegok.exe	121
PID 1856 wrote to memory of 2440	1856	cmd.exe	126
PID 1856 wrote to memory of 2440	1856	cmd.exe	126
PID 1856 wrote to memory of 2440	1856	cmd.exe	126
PID 3008 wrote to memory of 4988	3008	cmd.exe	131
PID 3008 wrote to memory of 4988	3008	cmd.exe	131
PID 3008 wrote to memory of 4988	3008	cmd.exe	131
PID 5668 wrote to memory of 4080	5668	cmd.exe	132
PID 5668 wrote to memory of 4080	5668	cmd.exe	132
PID 5668 wrote to memory of 4080	5668	cmd.exe	132
PID 4988 wrote to memory of 6092	4988	vsukkestoldjkvjalolnd.exe	137
PID 4988 wrote to memory of 6092	4988	vsukkestoldjkvjalolnd.exe	137
PID 4988 wrote to memory of 6092	4988	vsukkestoldjkvjalolnd.exe	137
PID 5072 wrote to memory of 5392	5072	cmd.exe	205
PID 5072 wrote to memory of 5392	5072	cmd.exe	205
PID 5072 wrote to memory of 5392	5072	cmd.exe	205
PID 4264 wrote to memory of 916	4264	cmd.exe	215
PID 4264 wrote to memory of 916	4264	cmd.exe	215
PID 4264 wrote to memory of 916	4264	cmd.exe	215
PID 1928 wrote to memory of 2880	1928	cmd.exe	150

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcqsekk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tcqsekk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tcqsekk.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5968
- C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
  "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8dff3b4a70e2f731ac76b54a2cae9976.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\tcqsekk.exe
    "C:\Users\Admin\AppData\Local\Temp\tcqsekk.exe" "-C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5416
- - C:\Users\Admin\AppData\Local\Temp\tcqsekk.exe
    "C:\Users\Admin\AppData\Local\Temp\tcqsekk.exe" "-C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Executes dropped EXE
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  - Executes dropped EXE
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Executes dropped EXE
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  - Executes dropped EXE
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Executes dropped EXE
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6052
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5760
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Executes dropped EXE
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5668
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  - Executes dropped EXE
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Executes dropped EXE
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  - Executes dropped EXE
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Executes dropped EXE
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:4320
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  - Executes dropped EXE
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  - Executes dropped EXE
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:3452
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  - Executes dropped EXE
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Executes dropped EXE
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  - Executes dropped EXE
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:2908
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:628
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Executes dropped EXE
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:3612
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  - Executes dropped EXE
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:1940
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Executes dropped EXE
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Executes dropped EXE
  PID:5896
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4420
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  - Executes dropped EXE
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:4352
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:4272
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  - Executes dropped EXE
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:916
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:3884
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Executes dropped EXE
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5180
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  - Executes dropped EXE
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  - Executes dropped EXE
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:2524
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Executes dropped EXE
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Executes dropped EXE
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5236
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:2052
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:5372
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:3096
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:4640
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:724
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:1920
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:5396
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4300
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:5072
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:2500
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:3192
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4424
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:1104
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:4132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2764
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5952
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:2380
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:552
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:2904
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:2448
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:5300
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5848
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4668
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5220
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:2740
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5880
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:3288
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:988
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:2456
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:3284
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3000
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5344
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5948
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:724
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:6032
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:2452
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:2936
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:1472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1592
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:2448
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:5092
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5608
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:1660
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:1564
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5136
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:1036
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:2032
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:2712
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:4880
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:2792
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:2524
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5448
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:5300
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:5868
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:6052
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:2880
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:4656
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:4312
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2348
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5344
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:3804
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:656
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:1568
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:4588
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:5868
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4272
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:3884
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:2608
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:5888
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:2928
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:5448
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:4304
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:5964
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:5896
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:2360
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:2152
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5032
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:1940
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:1928
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:4068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5100
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:3756
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:2552
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:2104
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2384
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2052
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:5672
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4444
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:2516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1568
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5572
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5608
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:3892
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:1632
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:4884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3776
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5896
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:3716
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:5300
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1476
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:4184
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5952
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:1568
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:5680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:5932
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:2744
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:2568
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3076
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5048
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:1532
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:2208
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5104
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:2932
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:4456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:2548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:5088
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:5300
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5860
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:840
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:1164
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:4296
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:1656
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:536
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:512
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:4352
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:1256
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3936
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:2756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1624
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:5304
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:2608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1220
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:5928
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4716
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:6048
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:2176
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4800
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6060
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:5820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2684
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:3608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4776
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:4128
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:1528
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:5392
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:1988
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:5560
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5304
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:5608
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:3840
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4720
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:1164
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:5004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  - Checks computer location settings
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  - Checks computer location settings
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:3324
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:5848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4044
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:2224
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:3540
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:4624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5916
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:4196
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:3916
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:2032
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:1532
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:2568
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:2732
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5404
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5784
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:5412
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5148
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:5408
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:4644
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:4436
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:2868
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:4420
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:6068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:5568
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5904
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:3284
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:972
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:1820
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:6020
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:2332
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:6120
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:2316
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:1948
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:2208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3776
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe .
1⤵
PID:4540
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:1528
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:6032
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:5140
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:5576
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:5608
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:4296
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe .
1⤵
PID:2228
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3840
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe .
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\toocasedwrhlktfudez.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:2808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:2100
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4536
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:452
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4684
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:5768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2328
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zsqcyoyvmftvszjwd.exe .
  2⤵
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zsqcyoyvmftvszjwd.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4420
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:1260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1348
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5868
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:3664
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:4036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3356
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
1⤵
PID:1632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe
  C:\Users\Admin\AppData\Local\Temp\toocasedwrhlktfudez.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\toocasedwrhlktfudez.exe*."
    3⤵
    PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:3632
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:5352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3560
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:5168
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe
1⤵
PID:4800
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe .
1⤵
PID:1820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5384
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe .
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsqcyoyvmftvszjwd.exe
1⤵
PID:5392
- C:\Windows\zsqcyoyvmftvszjwd.exe
  zsqcyoyvmftvszjwd.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe .
1⤵
PID:5288
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe .
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:4456
- C:\Windows\icbolcnldxmpnvgucc.exe
  icbolcnldxmpnvgucc.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4264
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:3804
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\icbolcnldxmpnvgucc.exe .
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\icbolcnldxmpnvgucc.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:2008
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:4136
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vsukkestoldjkvjalolnd.exe*."
    3⤵
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe
1⤵
PID:2600
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:4152
- C:\Windows\gcdsrkxxrnejjtgwgief.exe
  gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  C:\Users\Admin\AppData\Local\Temp\vsukkestoldjkvjalolnd.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe .
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\skhsnclhxpcdzfoa.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\skhsnclhxpcdzfoa.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe
  C:\Users\Admin\AppData\Local\Temp\gcdsrkxxrnejjtgwgief.exe .
  2⤵
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gcdsrkxxrnejjtgwgief.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c skhsnclhxpcdzfoa.exe
1⤵
PID:3392
- C:\Windows\skhsnclhxpcdzfoa.exe
  skhsnclhxpcdzfoa.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c toocasedwrhlktfudez.exe
1⤵
PID:2104
- C:\Windows\toocasedwrhlktfudez.exe
  toocasedwrhlktfudez.exe
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:6044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5552
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vsukkestoldjkvjalolnd.exe .
1⤵
PID:1940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4820
- C:\Windows\vsukkestoldjkvjalolnd.exe
  vsukkestoldjkvjalolnd.exe .
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icbolcnldxmpnvgucc.exe
1⤵
PID:2332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry