pykspa | 126804dd7e7c5b137beee74e61e9be1bda1f98237d47653e27a5d84838d221dd

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jhyqvkittri.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 41 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0008000000023713-4.dat	family_pykspa
behavioral2/files/0x0008000000024208-86.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "nixqiebqtfubbcqovpje.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "nixqiebqtfubbcqovpje.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "nixqiebqtfubbcqovpje.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\relwgujqlpwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "gykapicooxjnkitos.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukuivmeomtdfawf = "pivmcwrefpchfeqmrj.exe"	aikqveo.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aikqveo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jhyqvkittri.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aikqveo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aikqveo.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	auiarmiwyjxdccpmsle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gykapicooxjnkitos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	nixqiebqtfubbcqovpje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	zqbqewpazhsvroys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cyoibywmqdtbcetsavqmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	pivmcwrefpchfeqmrj.exe

Executes dropped EXE 64 IoCs

pid	Process
4460	jhyqvkittri.exe
392	zqbqewpazhsvroys.exe
4752	cyoibywmqdtbcetsavqmc.exe
5432	jhyqvkittri.exe
4192	pivmcwrefpchfeqmrj.exe
2108	gykapicooxjnkitos.exe
5928	zqbqewpazhsvroys.exe
2020	jhyqvkittri.exe
1416	nixqiebqtfubbcqovpje.exe
1396	jhyqvkittri.exe
532	gykapicooxjnkitos.exe
3712	auiarmiwyjxdccpmsle.exe
5540	jhyqvkittri.exe
2768	aikqveo.exe
1232	aikqveo.exe
3016	pivmcwrefpchfeqmrj.exe
2664	gykapicooxjnkitos.exe
1792	pivmcwrefpchfeqmrj.exe
1968	gykapicooxjnkitos.exe
5012	jhyqvkittri.exe
3216	cyoibywmqdtbcetsavqmc.exe
5152	jhyqvkittri.exe
1512	gykapicooxjnkitos.exe
1448	cyoibywmqdtbcetsavqmc.exe
5796	auiarmiwyjxdccpmsle.exe
5836	auiarmiwyjxdccpmsle.exe
5632	jhyqvkittri.exe
5752	pivmcwrefpchfeqmrj.exe
4592	pivmcwrefpchfeqmrj.exe
4788	pivmcwrefpchfeqmrj.exe
4536	jhyqvkittri.exe
4908	jhyqvkittri.exe
4736	jhyqvkittri.exe
4732	cyoibywmqdtbcetsavqmc.exe
1152	pivmcwrefpchfeqmrj.exe
5388	pivmcwrefpchfeqmrj.exe
4500	pivmcwrefpchfeqmrj.exe
5824	jhyqvkittri.exe
5808	jhyqvkittri.exe
5972	auiarmiwyjxdccpmsle.exe
3824	auiarmiwyjxdccpmsle.exe
1872	jhyqvkittri.exe
4420	auiarmiwyjxdccpmsle.exe
468	auiarmiwyjxdccpmsle.exe
2824	cyoibywmqdtbcetsavqmc.exe
5184	jhyqvkittri.exe
3428	zqbqewpazhsvroys.exe
2620	jhyqvkittri.exe
3672	auiarmiwyjxdccpmsle.exe
64	cyoibywmqdtbcetsavqmc.exe
2892	jhyqvkittri.exe
1948	gykapicooxjnkitos.exe
4952	pivmcwrefpchfeqmrj.exe
4356	pivmcwrefpchfeqmrj.exe
2164	jhyqvkittri.exe
1556	gykapicooxjnkitos.exe
772	gykapicooxjnkitos.exe
5632	nixqiebqtfubbcqovpje.exe
3908	pivmcwrefpchfeqmrj.exe
2204	jhyqvkittri.exe
2640	zqbqewpazhsvroys.exe
1516	cyoibywmqdtbcetsavqmc.exe
4408	jhyqvkittri.exe
5252	zqbqewpazhsvroys.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	aikqveo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	aikqveo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	aikqveo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	aikqveo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	aikqveo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	aikqveo.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "zqbqewpazhsvroys.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "pivmcwrefpchfeqmrj.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "gykapicooxjnkitos.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "gykapicooxjnkitos.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pivmcwrefpchfeqmrj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pivmcwrefpchfeqmrj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "gykapicooxjnkitos.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "nixqiebqtfubbcqovpje.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "cyoibywmqdtbcetsavqmc.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "nixqiebqtfubbcqovpje.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "nixqiebqtfubbcqovpje.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyoibywmqdtbcetsavqmc.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pivmcwrefpchfeqmrj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pivmcwrefpchfeqmrj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "pivmcwrefpchfeqmrj.exe"	aikqveo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "zqbqewpazhsvroys.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pivmcwrefpchfeqmrj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nixqiebqtfubbcqovpje.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auiarmiwyjxdccpmsle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pivmcwrefpchfeqmrj.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "gykapicooxjnkitos.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "auiarmiwyjxdccpmsle.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "cyoibywmqdtbcetsavqmc.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gykapicooxjnkitos.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zqbqewpazhsvroys = "zqbqewpazhsvroys.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "cyoibywmqdtbcetsavqmc.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "nixqiebqtfubbcqovpje.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "auiarmiwyjxdccpmsle.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "auiarmiwyjxdccpmsle.exe"	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "cyoibywmqdtbcetsavqmc.exe ."	jhyqvkittri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gykapicooxjnkitos = "auiarmiwyjxdccpmsle.exe ."	aikqveo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qemyjyowsxffy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auiarmiwyjxdccpmsle.exe"	jhyqvkittri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgpcoevebhqrlg = "pivmcwrefpchfeqmrj.exe ."	jhyqvkittri.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aikqveo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhyqvkittri.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aikqveo.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	www.whatismyip.ca
25	www.whatismyip.ca
27	whatismyip.everdot.org
72	whatismyip.everdot.org
78	whatismyip.everdot.org
29	whatismyipaddress.com
31	www.whatismyip.ca
33	www.showmyipaddress.com
61	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	aikqveo.exe
File opened for modification	C:\Windows\SysWOW64\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\SysWOW64\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ukuivmeomtdfawfyapeuesfwoywdnpkgpikzo.ocp	aikqveo.exe
File created	C:\Program Files (x86)\ukuivmeomtdfawfyapeuesfwoywdnpkgpikzo.ocp	aikqveo.exe
File opened for modification	C:\Program Files (x86)\tyxacipobxwnxigofjnsruwcji.rqh	aikqveo.exe
File created	C:\Program Files (x86)\tyxacipobxwnxigofjnsruwcji.rqh	aikqveo.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File created	C:\Windows\tyxacipobxwnxigofjnsruwcji.rqh	aikqveo.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	aikqveo.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	aikqveo.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	aikqveo.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\zqbqewpazhsvroys.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\tqhcwutkpdudfiyyhdzwni.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\pivmcwrefpchfeqmrj.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\nixqiebqtfubbcqovpje.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\gykapicooxjnkitos.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\auiarmiwyjxdccpmsle.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe
File opened for modification	C:\Windows\cyoibywmqdtbcetsavqmc.exe	jhyqvkittri.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhyqvkittri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyoibywmqdtbcetsavqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nixqiebqtfubbcqovpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aikqveo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivmcwrefpchfeqmrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykapicooxjnkitos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqbqewpazhsvroys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auiarmiwyjxdccpmsle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2768	aikqveo.exe
2768	aikqveo.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2768	aikqveo.exe
2768	aikqveo.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	aikqveo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4460	5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	90
PID 5092 wrote to memory of 4460	5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	90
PID 5092 wrote to memory of 4460	5092	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	90
PID 2808 wrote to memory of 392	2808	cmd.exe	93
PID 2808 wrote to memory of 392	2808	cmd.exe	93
PID 2808 wrote to memory of 392	2808	cmd.exe	93
PID 4700 wrote to memory of 4752	4700	cmd.exe	96
PID 4700 wrote to memory of 4752	4700	cmd.exe	96
PID 4700 wrote to memory of 4752	4700	cmd.exe	96
PID 4752 wrote to memory of 5432	4752	cyoibywmqdtbcetsavqmc.exe	99
PID 4752 wrote to memory of 5432	4752	cyoibywmqdtbcetsavqmc.exe	99
PID 4752 wrote to memory of 5432	4752	cyoibywmqdtbcetsavqmc.exe	99
PID 4756 wrote to memory of 4192	4756	cmd.exe	100
PID 4756 wrote to memory of 4192	4756	cmd.exe	100
PID 4756 wrote to memory of 4192	4756	cmd.exe	100
PID 936 wrote to memory of 2108	936	cmd.exe	105
PID 936 wrote to memory of 2108	936	cmd.exe	105
PID 936 wrote to memory of 2108	936	cmd.exe	105
PID 3548 wrote to memory of 5928	3548	cmd.exe	108
PID 3548 wrote to memory of 5928	3548	cmd.exe	108
PID 3548 wrote to memory of 5928	3548	cmd.exe	108
PID 2108 wrote to memory of 2020	2108	gykapicooxjnkitos.exe	109
PID 2108 wrote to memory of 2020	2108	gykapicooxjnkitos.exe	109
PID 2108 wrote to memory of 2020	2108	gykapicooxjnkitos.exe	109
PID 2920 wrote to memory of 1416	2920	cmd.exe	110
PID 2920 wrote to memory of 1416	2920	cmd.exe	110
PID 2920 wrote to memory of 1416	2920	cmd.exe	110
PID 1416 wrote to memory of 1396	1416	nixqiebqtfubbcqovpje.exe	113
PID 1416 wrote to memory of 1396	1416	nixqiebqtfubbcqovpje.exe	113
PID 1416 wrote to memory of 1396	1416	nixqiebqtfubbcqovpje.exe	113
PID 3064 wrote to memory of 532	3064	cmd.exe	114
PID 3064 wrote to memory of 532	3064	cmd.exe	114
PID 3064 wrote to memory of 532	3064	cmd.exe	114
PID 2824 wrote to memory of 3712	2824	cmd.exe	117
PID 2824 wrote to memory of 3712	2824	cmd.exe	117
PID 2824 wrote to memory of 3712	2824	cmd.exe	117
PID 3712 wrote to memory of 5540	3712	auiarmiwyjxdccpmsle.exe	118
PID 3712 wrote to memory of 5540	3712	auiarmiwyjxdccpmsle.exe	118
PID 3712 wrote to memory of 5540	3712	auiarmiwyjxdccpmsle.exe	118
PID 4460 wrote to memory of 2768	4460	jhyqvkittri.exe	119
PID 4460 wrote to memory of 2768	4460	jhyqvkittri.exe	119
PID 4460 wrote to memory of 2768	4460	jhyqvkittri.exe	119
PID 4460 wrote to memory of 1232	4460	jhyqvkittri.exe	120
PID 4460 wrote to memory of 1232	4460	jhyqvkittri.exe	120
PID 4460 wrote to memory of 1232	4460	jhyqvkittri.exe	120
PID 1708 wrote to memory of 3016	1708	cmd.exe	125
PID 1708 wrote to memory of 3016	1708	cmd.exe	125
PID 1708 wrote to memory of 3016	1708	cmd.exe	125
PID 3060 wrote to memory of 2664	3060	cmd.exe	126
PID 3060 wrote to memory of 2664	3060	cmd.exe	126
PID 3060 wrote to memory of 2664	3060	cmd.exe	126
PID 4992 wrote to memory of 1792	4992	cmd.exe	131
PID 4992 wrote to memory of 1792	4992	cmd.exe	131
PID 4992 wrote to memory of 1792	4992	cmd.exe	131
PID 3044 wrote to memory of 1968	3044	cmd.exe	134
PID 3044 wrote to memory of 1968	3044	cmd.exe	134
PID 3044 wrote to memory of 1968	3044	cmd.exe	134
PID 1792 wrote to memory of 5012	1792	pivmcwrefpchfeqmrj.exe	135
PID 1792 wrote to memory of 5012	1792	pivmcwrefpchfeqmrj.exe	135
PID 1792 wrote to memory of 5012	1792	pivmcwrefpchfeqmrj.exe	135
PID 400 wrote to memory of 3216	400	cmd.exe	140
PID 400 wrote to memory of 3216	400	cmd.exe	140
PID 400 wrote to memory of 3216	400	cmd.exe	140
PID 1968 wrote to memory of 5152	1968	gykapicooxjnkitos.exe	141

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jhyqvkittri.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aikqveo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aikqveo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jhyqvkittri.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
  "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8e0598bce0b73645c97c9f7db2559c67.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\aikqveo.exe
    "C:\Users\Admin\AppData\Local\Temp\aikqveo.exe" "-C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\aikqveo.exe
    "C:\Users\Admin\AppData\Local\Temp\aikqveo.exe" "-C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  - Executes dropped EXE
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    - Executes dropped EXE
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Executes dropped EXE
    PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  - Executes dropped EXE
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Executes dropped EXE
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  - Executes dropped EXE
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    - Executes dropped EXE
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  - Executes dropped EXE
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:60
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    - Executes dropped EXE
    PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2136
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  - Executes dropped EXE
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:4940
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Executes dropped EXE
  PID:5796
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1076
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  - Executes dropped EXE
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:2896
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4020
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Executes dropped EXE
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  - Executes dropped EXE
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Executes dropped EXE
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:748
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  - Executes dropped EXE
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:3104
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Executes dropped EXE
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Executes dropped EXE
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:532
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  - Executes dropped EXE
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:1696
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Executes dropped EXE
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Executes dropped EXE
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:824
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - Executes dropped EXE
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    - Executes dropped EXE
    PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  - Executes dropped EXE
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Executes dropped EXE
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:5712
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:6032
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:5108
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  - Executes dropped EXE
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:3356
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:5460
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    - Executes dropped EXE
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:1580
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  - Executes dropped EXE
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:2880
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4960
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:348
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  - Executes dropped EXE
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  - Executes dropped EXE
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:5796
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:3688
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:4672
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:5852
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:4444
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:2832
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3944
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4740
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:4472
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:5808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2892
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4772
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2392
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2536
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2308
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:3992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:1660
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:1932
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4580
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:716
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4740
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:4768
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4616
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:5504
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5424
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4296
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:4664
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:1996
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:1640
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:3820
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:3220
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:5856
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:2096
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:6032
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3356
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:1728
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:2680
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:5608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3376
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:1632
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:2612
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6024
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:5276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1420
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:3524
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2240
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:2844
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:1868
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:3476
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4288
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:5332
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:6020
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:3908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:4428
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:5560
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:3672
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:3064
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:5096
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:3508
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:4348
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:5008
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:4604
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:5152
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:2020
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:824
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:1812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3048
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:2640
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:228
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:5096
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:3080
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:4924
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:1828
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:1632
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:3600
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1524
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:5704
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:5040
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:3908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3688
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4856
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:2184
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:1784
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:2676
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:1072
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:3548
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:6032
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:6012
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:208
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:3672
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:5996
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:1632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5548
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:3844
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:5552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1504
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:1812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5160
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1784
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:3720
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:3012
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:4604
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:5712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5300
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:5928
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1736
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:2556
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:4152
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5648
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:2976
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:2728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3280
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:2520
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:2156
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:704
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:4296
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:5860
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:1380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:3012
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:5416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2892
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:4260
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4552
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:4344
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:2808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:4532
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:4836
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:2824
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:2896
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:5188
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:4796
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:1852
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:2792
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:4544
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:5088
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:4636
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:5812
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:4248
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - Checks computer location settings
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:1628
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2196
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:3512
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:3940
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:5992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5796
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4024
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:5668
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:2996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:5000
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:4600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2256
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:184
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:2332
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:4724
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:5884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3096
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:4808
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:3724
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:1952
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:2528
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2764
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:2936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:548
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  - Checks computer location settings
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4576
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4844
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:184
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:3488
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:1736
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4564
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:1448
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:2728
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:2108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1264
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:2528
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:4296
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:5540
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  - Checks computer location settings
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:2496
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:4612
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:5528
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:2976
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:1736
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:2668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5852
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:936
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:5824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2224
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5884
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4676
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:640
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:1952
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:1704
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:672
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  - Checks computer location settings
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2676
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5712
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:3184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5276
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:4976
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5708
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:3996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:4836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:5188
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:3712
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:2996
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2568
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:3824
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:6056

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:4272
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe .
1⤵
PID:1600
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:3220
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:916
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe .
1⤵
PID:3028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3656
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe .
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\gykapicooxjnkitos.exe*."
    3⤵
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
1⤵
PID:5940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\zqbqewpazhsvroys.exe*."
    3⤵
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:6080
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:3992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4448
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:556
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:5348
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe .
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\gykapicooxjnkitos.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe
1⤵
PID:4368
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:5844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4724
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:396
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:4076
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  C:\Users\Admin\AppData\Local\Temp\gykapicooxjnkitos.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe
  C:\Users\Admin\AppData\Local\Temp\nixqiebqtfubbcqovpje.exe .
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\nixqiebqtfubbcqovpje.exe*."
    3⤵
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:5088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3420
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:2012
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe
1⤵
PID:988
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe .
1⤵
PID:4580
- C:\Windows\auiarmiwyjxdccpmsle.exe
  auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:4400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe
  C:\Users\Admin\AppData\Local\Temp\auiarmiwyjxdccpmsle.exe .
  2⤵
  PID:5832
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\auiarmiwyjxdccpmsle.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:1932
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:3280
- C:\Windows\cyoibywmqdtbcetsavqmc.exe
  cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe
1⤵
PID:4296
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqbqewpazhsvroys.exe .
1⤵
PID:4576
- C:\Windows\zqbqewpazhsvroys.exe
  zqbqewpazhsvroys.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\zqbqewpazhsvroys.exe*."
    3⤵
    PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  C:\Users\Admin\AppData\Local\Temp\zqbqewpazhsvroys.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  C:\Users\Admin\AppData\Local\Temp\pivmcwrefpchfeqmrj.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe
  C:\Users\Admin\AppData\Local\Temp\cyoibywmqdtbcetsavqmc.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\users\admin\appdata\local\temp\cyoibywmqdtbcetsavqmc.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gykapicooxjnkitos.exe
1⤵
PID:5168
- C:\Windows\gykapicooxjnkitos.exe
  gykapicooxjnkitos.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pivmcwrefpchfeqmrj.exe .
1⤵
PID:2312
- C:\Windows\pivmcwrefpchfeqmrj.exe
  pivmcwrefpchfeqmrj.exe .
  2⤵
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe
    "C:\Users\Admin\AppData\Local\Temp\jhyqvkittri.exe" "c:\windows\pivmcwrefpchfeqmrj.exe*."
    3⤵
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nixqiebqtfubbcqovpje.exe
1⤵
PID:952
- C:\Windows\nixqiebqtfubbcqovpje.exe
  nixqiebqtfubbcqovpje.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auiarmiwyjxdccpmsle.exe
1⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cyoibywmqdtbcetsavqmc.exe .
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry