pykspa | 1364c5f9a11996c761040823e43e41547f52147aafd7fc4bf910d98a4c30eacb

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 34 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0006000000021e21-4.dat	family_pykspa
behavioral2/files/0x0010000000024074-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "vujzapkevjirjxforzz.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiyprhdyqffpixgqudee.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvyhrchv = "yvlhecuvneepjzjuzjmjz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yffls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfuplizzqgfpixgqudfb.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "iiyprhdyqffpixgqudee.exe"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvyhrchv = "vnyphanjwidjyjou.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ukqxpvhsaf = "iiyprhdyqffpixgqudee.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vilpehq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
49	5092	Process not Found
66	5092	Process not Found
76	3496	Process not Found
77	3496	Process not Found
78	3496	Process not Found

Disables RegEdit via registry modification 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uvfllmhhefp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uqcpnzriwhdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uqcpnzriwhdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uqcpnzriwhdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xyphkbyundepjzjuzjlmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uvfllmhhefp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	vujzapkevjirjxforzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	iiyprhdyqffpixgqudee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kiwllztmcpnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bylzylewlxubrdjqr.exe

Executes dropped EXE 64 IoCs

pid	Process
1828	uvfllmhhefp.exe
4632	iiyprhdyqffpixgqudee.exe
5308	vujzapkevjirjxforzz.exe
4652	uvfllmhhefp.exe
4760	kiwllztmcpnvmzgoqx.exe
5084	vujzapkevjirjxforzz.exe
316	kiwllztmcpnvmzgoqx.exe
1948	uvfllmhhefp.exe
3796	vujzapkevjirjxforzz.exe
3824	uvfllmhhefp.exe
5572	uqcpnzriwhdjyjou.exe
2184	uqcpnzriwhdjyjou.exe
4316	uvfllmhhefp.exe
3504	vilpehq.exe
6060	vilpehq.exe
4972	vujzapkevjirjxforzz.exe
2892	uqcpnzriwhdjyjou.exe
5580	kiwllztmcpnvmzgoqx.exe
3116	bylzylewlxubrdjqr.exe
372	uvfllmhhefp.exe
640	uvfllmhhefp.exe
4800	uqcpnzriwhdjyjou.exe
1904	iiyprhdyqffpixgqudee.exe
5648	iiyprhdyqffpixgqudee.exe
2816	bylzylewlxubrdjqr.exe
3772	vujzapkevjirjxforzz.exe
2700	kiwllztmcpnvmzgoqx.exe
6040	kiwllztmcpnvmzgoqx.exe
5624	bylzylewlxubrdjqr.exe
1740	vujzapkevjirjxforzz.exe
4568	uvfllmhhefp.exe
4612	uvfllmhhefp.exe
4548	uvfllmhhefp.exe
5360	uvfllmhhefp.exe
3436	vujzapkevjirjxforzz.exe
1992	xyphkbyundepjzjuzjlmd.exe
5912	iiyprhdyqffpixgqudee.exe
4584	uvfllmhhefp.exe
3812	uvfllmhhefp.exe
4832	vujzapkevjirjxforzz.exe
4456	iiyprhdyqffpixgqudee.exe
6032	uvfllmhhefp.exe
6124	iiyprhdyqffpixgqudee.exe
1752	kiwllztmcpnvmzgoqx.exe
5896	vujzapkevjirjxforzz.exe
3904	uvfllmhhefp.exe
5824	kiwllztmcpnvmzgoqx.exe
4236	uvfllmhhefp.exe
5500	iiyprhdyqffpixgqudee.exe
640	kiwllztmcpnvmzgoqx.exe
1128	uvfllmhhefp.exe
3580	xyphkbyundepjzjuzjlmd.exe
4632	xyphkbyundepjzjuzjlmd.exe
4480	xyphkbyundepjzjuzjlmd.exe
2984	xyphkbyundepjzjuzjlmd.exe
4416	uvfllmhhefp.exe
1668	kiwllztmcpnvmzgoqx.exe
4552	kiwllztmcpnvmzgoqx.exe
5108	bylzylewlxubrdjqr.exe
4340	uvfllmhhefp.exe
5044	uvfllmhhefp.exe
4576	xyphkbyundepjzjuzjlmd.exe
4648	kiwllztmcpnvmzgoqx.exe
3292	xyphkbyundepjzjuzjlmd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	vilpehq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	vilpehq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	vilpehq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	vilpehq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	vilpehq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	vilpehq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "uqcpnzriwhdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiyprhdyqffpixgqudee.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "xyphkbyundepjzjuzjlmd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "iiyprhdyqffpixgqudee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "vujzapkevjirjxforzz.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "iiyprhdyqffpixgqudee.exe"	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhmxjwdtag = "vnyphanjwidjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "kiwllztmcpnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "iiyprhdyqffpixgqudee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "uqcpnzriwhdjyjou.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "bylzylewlxubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "kiwllztmcpnvmzgoqx.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "iiyprhdyqffpixgqudee.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "uqcpnzriwhdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbivjyhziqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnyphanjwidjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgnvoviudja = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "iiyprhdyqffpixgqudee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "xyphkbyundepjzjuzjlmd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfhpyim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfslfapncqnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe"	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiwllztmcpnvmzgoqx.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqcpnzriwhdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xyphkbyundepjzjuzjlmd.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "kiwllztmcpnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\memvpxlyiphj = "bylzylewlxubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqvbsxisz = "bylzylewlxubrdjqr.exe ."	vilpehq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kychxblu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	vilpehq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "bylzylewlxubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgqbxhxmyhbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vujzapkevjirjxforzz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lenxsbqepxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiyprhdyqffpixgqudee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnrbmyetz = "wrfzuqgfvkirjxforza.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "kiwllztmcpnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "xyphkbyundepjzjuzjlmd.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kychxblu = "iiyprhdyqffpixgqudee.exe"	uvfllmhhefp.exe

Checks whether UAC is enabled 1 TTPs 44 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vilpehq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vilpehq.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	whatismyip.everdot.org
29	www.whatismyip.ca
35	www.showmyipaddress.com
38	www.whatismyip.ca
40	whatismyip.everdot.org
42	whatismyipaddress.com
63	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	vilpehq.exe
File created	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	vilpehq.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oyyzllrwyxhbedwqexisstfflq.rbv	vilpehq.exe
File created	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	vilpehq.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	vilpehq.exe
File created	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	vilpehq.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\oyyzllrwyxhbedwqexisstfflq.rbv	vilpehq.exe
File created	C:\Program Files (x86)\oyyzllrwyxhbedwqexisstfflq.rbv	vilpehq.exe
File opened for modification	C:\Program Files (x86)\pkvhepgwjtothrvazdzufrozqgtdydrbfkjnj.pby	vilpehq.exe
File created	C:\Program Files (x86)\pkvhepgwjtothrvazdzufrozqgtdydrbfkjnj.pby	vilpehq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	vilpehq.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	vilpehq.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	vilpehq.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	vilpehq.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File created	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	vilpehq.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	vilpehq.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	vilpehq.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File created	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	vilpehq.exe
File opened for modification	C:\Windows\pkvhepgwjtothrvazdzufrozqgtdydrbfkjnj.pby	vilpehq.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	vilpehq.exe
File opened for modification	C:\Windows\oqibfxvsmdfrmdoagruwoh.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xyphkbyundepjzjuzjlmd.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\uqcpnzriwhdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\iiyprhdyqffpixgqudee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\bylzylewlxubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\vujzapkevjirjxforzz.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kiwllztmcpnvmzgoqx.exe	uvfllmhhefp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnyphanjwidjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yffls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvfllmhhefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvhzsmaxlyubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrfzuqgfvkirjxforza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfslfapncqnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vilpehq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiyprhdyqffpixgqudee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylzylewlxubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vujzapkevjirjxforzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqcpnzriwhdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwllztmcpnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyphkbyundepjzjuzjlmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3504	vilpehq.exe
3504	vilpehq.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
3504	vilpehq.exe
3504	vilpehq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	vilpehq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 1828	3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe	88
PID 3148 wrote to memory of 1828	3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe	88
PID 3148 wrote to memory of 1828	3148	JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe	88
PID 4404 wrote to memory of 4632	4404	cmd.exe	91
PID 4404 wrote to memory of 4632	4404	cmd.exe	91
PID 4404 wrote to memory of 4632	4404	cmd.exe	91
PID 4460 wrote to memory of 5308	4460	cmd.exe	94
PID 4460 wrote to memory of 5308	4460	cmd.exe	94
PID 4460 wrote to memory of 5308	4460	cmd.exe	94
PID 5308 wrote to memory of 4652	5308	vujzapkevjirjxforzz.exe	96
PID 5308 wrote to memory of 4652	5308	vujzapkevjirjxforzz.exe	96
PID 5308 wrote to memory of 4652	5308	vujzapkevjirjxforzz.exe	96
PID 4580 wrote to memory of 4760	4580	cmd.exe	100
PID 4580 wrote to memory of 4760	4580	cmd.exe	100
PID 4580 wrote to memory of 4760	4580	cmd.exe	100
PID 4584 wrote to memory of 5084	4584	cmd.exe	103
PID 4584 wrote to memory of 5084	4584	cmd.exe	103
PID 4584 wrote to memory of 5084	4584	cmd.exe	103
PID 5292 wrote to memory of 316	5292	cmd.exe	106
PID 5292 wrote to memory of 316	5292	cmd.exe	106
PID 5292 wrote to memory of 316	5292	cmd.exe	106
PID 5084 wrote to memory of 1948	5084	vujzapkevjirjxforzz.exe	107
PID 5084 wrote to memory of 1948	5084	vujzapkevjirjxforzz.exe	107
PID 5084 wrote to memory of 1948	5084	vujzapkevjirjxforzz.exe	107
PID 1084 wrote to memory of 3796	1084	cmd.exe	108
PID 1084 wrote to memory of 3796	1084	cmd.exe	108
PID 1084 wrote to memory of 3796	1084	cmd.exe	108
PID 3796 wrote to memory of 3824	3796	vujzapkevjirjxforzz.exe	109
PID 3796 wrote to memory of 3824	3796	vujzapkevjirjxforzz.exe	109
PID 3796 wrote to memory of 3824	3796	vujzapkevjirjxforzz.exe	109
PID 4832 wrote to memory of 5572	4832	cmd.exe	114
PID 4832 wrote to memory of 5572	4832	cmd.exe	114
PID 4832 wrote to memory of 5572	4832	cmd.exe	114
PID 4456 wrote to memory of 2184	4456	cmd.exe	115
PID 4456 wrote to memory of 2184	4456	cmd.exe	115
PID 4456 wrote to memory of 2184	4456	cmd.exe	115
PID 2184 wrote to memory of 4316	2184	uqcpnzriwhdjyjou.exe	116
PID 2184 wrote to memory of 4316	2184	uqcpnzriwhdjyjou.exe	116
PID 2184 wrote to memory of 4316	2184	uqcpnzriwhdjyjou.exe	116
PID 1828 wrote to memory of 3504	1828	uvfllmhhefp.exe	117
PID 1828 wrote to memory of 3504	1828	uvfllmhhefp.exe	117
PID 1828 wrote to memory of 3504	1828	uvfllmhhefp.exe	117
PID 1828 wrote to memory of 6060	1828	uvfllmhhefp.exe	118
PID 1828 wrote to memory of 6060	1828	uvfllmhhefp.exe	118
PID 1828 wrote to memory of 6060	1828	uvfllmhhefp.exe	118
PID 384 wrote to memory of 4972	384	cmd.exe	125
PID 384 wrote to memory of 4972	384	cmd.exe	125
PID 384 wrote to memory of 4972	384	cmd.exe	125
PID 1696 wrote to memory of 2892	1696	cmd.exe	126
PID 1696 wrote to memory of 2892	1696	cmd.exe	126
PID 1696 wrote to memory of 2892	1696	cmd.exe	126
PID 1120 wrote to memory of 5580	1120	cmd.exe	131
PID 1120 wrote to memory of 5580	1120	cmd.exe	131
PID 1120 wrote to memory of 5580	1120	cmd.exe	131
PID 5608 wrote to memory of 3116	5608	cmd.exe	132
PID 5608 wrote to memory of 3116	5608	cmd.exe	132
PID 5608 wrote to memory of 3116	5608	cmd.exe	132
PID 5580 wrote to memory of 372	5580	kiwllztmcpnvmzgoqx.exe	141
PID 5580 wrote to memory of 372	5580	kiwllztmcpnvmzgoqx.exe	141
PID 5580 wrote to memory of 372	5580	kiwllztmcpnvmzgoqx.exe	141
PID 3116 wrote to memory of 640	3116	bylzylewlxubrdjqr.exe	205
PID 3116 wrote to memory of 640	3116	bylzylewlxubrdjqr.exe	205
PID 3116 wrote to memory of 640	3116	bylzylewlxubrdjqr.exe	205
PID 1932 wrote to memory of 4800	1932	cmd.exe	143

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vilpehq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vilpehq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0cc35a04712658755155d432aabb10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
  "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8e0cc35a04712658755155d432aabb10.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\vilpehq.exe
    "C:\Users\Admin\AppData\Local\Temp\vilpehq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8e0cc35a04712658755155d432aabb10.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\vilpehq.exe
    "C:\Users\Admin\AppData\Local\Temp\vilpehq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8e0cc35a04712658755155d432aabb10.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  - Executes dropped EXE
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    - Executes dropped EXE
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  - Executes dropped EXE
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  - Executes dropped EXE
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5608
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    - Executes dropped EXE
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:1952
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  - Executes dropped EXE
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  - Executes dropped EXE
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5820
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:4024
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Executes dropped EXE
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    - Executes dropped EXE
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  - Executes dropped EXE
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Executes dropped EXE
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    - Executes dropped EXE
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  - Executes dropped EXE
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    - Executes dropped EXE
    PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:2324
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    - Executes dropped EXE
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:4620
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  - Executes dropped EXE
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:1764
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    - Executes dropped EXE
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:1940
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  - Executes dropped EXE
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4672
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  - Executes dropped EXE
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  - Executes dropped EXE
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2680
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:1172
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:1828
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:3984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1904
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:2924
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4044
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4436
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:864
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  - Executes dropped EXE
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4188
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:1740
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  - Executes dropped EXE
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4448
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5100
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4784
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:712
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:6068
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4460
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:3496
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1668
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:3820
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4528
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:2132
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:2844
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:2412
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:3640
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:4644
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:1904
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:1704
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5648
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:1848
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:5880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5472
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:5492
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:640
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:1228
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
PID:1988
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:1056
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:1976
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:3436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:2452
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:3908
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:232
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3912
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:5588
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:3820
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:812
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:4548
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
PID:5004
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:4528
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:324
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:5236
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:5008
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:3968
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:2604
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:220
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe"
      4⤵
      PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5540
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:4364
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:4468
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:4332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5108
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:4396
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe
1⤵
PID:5452
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe .
1⤵
PID:752
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wrfzuqgfvkirjxforza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe
1⤵
PID:1792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1984
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe .
1⤵
PID:3892
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6068
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:2340
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:1240
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3292
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5252
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5936
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:1904
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4784
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:4560
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:3456
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe
1⤵
PID:372
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:5292
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe
1⤵
PID:1988
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vnyphanjwidjyjou.exe .
1⤵
PID:1344
- C:\Windows\vnyphanjwidjyjou.exe
  vnyphanjwidjyjou.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vnyphanjwidjyjou.exe*."
    3⤵
    PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
1⤵
PID:1132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5824
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3904
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5784
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:4540
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:2412
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:1956
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:372
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5964
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:3172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5680
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:4636
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:444
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5744
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3760
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:424
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5648
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:4340
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4044
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:2320
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4560
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:3628
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:5064
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:5792
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:2152
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2132
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:6016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3584
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:3988
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:4568
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2628
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:4060
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:1848
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3492
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:3172
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:2956
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  - Checks computer location settings
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:1828
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:2892
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:2512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2488
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:1248
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4396
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:5496
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  - Checks computer location settings
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:4400
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe
1⤵
PID:5968
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:6056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3512
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe .
1⤵
PID:1440
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4412
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:852
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:1928
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:2956
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe .
1⤵
PID:2036
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4324
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:624
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4488
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4568
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:6120
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:2756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5308
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:2152
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:6092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:4188
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:3796
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2932
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:1940
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:5448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4432
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:2396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:5396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1136
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4340
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:2544
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2984
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:696
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:2204
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:812
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:1440
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4540
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:3864
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:4652
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:764
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:4324
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3720
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2760
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:1528
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4568
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:6080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:4472
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4748
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:1564
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:2996
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:2152
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:1244
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:5580
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4904
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:4448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4988
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:6120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:812
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:4556
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:2316
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:3096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1344
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe .
1⤵
PID:316
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5812
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:808
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:652
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
PID:864
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe .
1⤵
PID:2384
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:3392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe .
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe .
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vnyphanjwidjyjou.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:3824
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
1⤵
PID:1912
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe .
  2⤵
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
  2⤵
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:5996
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:3628
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4044
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:544
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:424
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:2940
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe .
1⤵
PID:652
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:4796
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4372
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:2756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3464
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe .
1⤵
PID:4528
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:372
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4220
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5996
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:5156
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe
1⤵
PID:5200
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:4428
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:1440
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kiwllztmcpnvmzgoqx.exe .
1⤵
PID:4208
- C:\Windows\kiwllztmcpnvmzgoqx.exe
  kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:2184
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vujzapkevjirjxforzz.exe
1⤵
PID:1948
- C:\Windows\vujzapkevjirjxforzz.exe
  vujzapkevjirjxforzz.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5304
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iiyprhdyqffpixgqudee.exe
1⤵
PID:4244
- C:\Windows\iiyprhdyqffpixgqudee.exe
  iiyprhdyqffpixgqudee.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4552
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5496
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:2608
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kiwllztmcpnvmzgoqx.exe*."
    3⤵
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe
1⤵
PID:5124
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe .
1⤵
PID:4804
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe .
  2⤵
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe .
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vujzapkevjirjxforzz.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\bylzylewlxubrdjqr.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe .
  2⤵
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\uqcpnzriwhdjyjou.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
1⤵
PID:5828
- C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  C:\Users\Admin\AppData\Local\Temp\vujzapkevjirjxforzz.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe
  C:\Users\Admin\AppData\Local\Temp\xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqcpnzriwhdjyjou.exe
1⤵
PID:5480
- C:\Windows\uqcpnzriwhdjyjou.exe
  uqcpnzriwhdjyjou.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xyphkbyundepjzjuzjlmd.exe .
1⤵
PID:4772
- C:\Windows\xyphkbyundepjzjuzjlmd.exe
  xyphkbyundepjzjuzjlmd.exe .
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xyphkbyundepjzjuzjlmd.exe*."
    3⤵
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe
1⤵
PID:4208
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe
  2⤵
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bylzylewlxubrdjqr.exe .
1⤵
PID:392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1928
- C:\Windows\bylzylewlxubrdjqr.exe
  bylzylewlxubrdjqr.exe .
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\bylzylewlxubrdjqr.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
1⤵
PID:1704
- C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\uqcpnzriwhdjyjou.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\iiyprhdyqffpixgqudee.exe*."
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  C:\Users\Admin\AppData\Local\Temp\iiyprhdyqffpixgqudee.exe
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\kiwllztmcpnvmzgoqx.exe .
  2⤵
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry