pykspa | 65b601671c4c680e383f5e60fd19be09d33361d5ebdf78040e822a2999f0cf06

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0006000000021e21-4.dat	family_pykspa
behavioral2/files/0x0007000000024248-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "aqlbvjfvfaubrdjqr.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawnixulwsnvmzgoqx.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "aqlbvjfvfaubrdjqr.exe"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvyhrchv = "wrfzuqgfvkirjxforza.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "hayrofexkifpixgquddw.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "ticrkxshqkdjyjou.exe"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvyhrchv = "lfslfapncqnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "umjbxnldpmirjxforzy.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwmxmvmxcshj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawnixulwsnvmzgoqx.exe"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ocvjbnhvdwothrv = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe

Disables RegEdit via registry modification 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jawnixulwsnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jawnixulwsnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jawnixulwsnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jawnixulwsnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	umjbxnldpmirjxforzy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	aqlbvjfvfaubrdjqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	hayrofexkifpixgquddw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wqpjhzzthgepjzjuzjked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jawnixulwsnvmzgoqx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	ticrkxshqkdjyjou.exe

Executes dropped EXE 64 IoCs

pid	Process
3692	uvfllmhhefp.exe
4576	ticrkxshqkdjyjou.exe
4936	ticrkxshqkdjyjou.exe
5984	uvfllmhhefp.exe
5744	aqlbvjfvfaubrdjqr.exe
4788	aqlbvjfvfaubrdjqr.exe
5452	hayrofexkifpixgquddw.exe
3108	uvfllmhhefp.exe
6140	wqpjhzzthgepjzjuzjked.exe
5076	uvfllmhhefp.exe
2052	ticrkxshqkdjyjou.exe
5032	hayrofexkifpixgquddw.exe
208	uvfllmhhefp.exe
1576	hmwbkn.exe
4296	hmwbkn.exe
552	jawnixulwsnvmzgoqx.exe
5376	jawnixulwsnvmzgoqx.exe
1108	jawnixulwsnvmzgoqx.exe
3908	jawnixulwsnvmzgoqx.exe
972	uvfllmhhefp.exe
2072	jawnixulwsnvmzgoqx.exe
5792	uvfllmhhefp.exe
5044	hayrofexkifpixgquddw.exe
2288	wqpjhzzthgepjzjuzjked.exe
3508	ticrkxshqkdjyjou.exe
5464	umjbxnldpmirjxforzy.exe
2104	wqpjhzzthgepjzjuzjked.exe
4456	aqlbvjfvfaubrdjqr.exe
3440	uvfllmhhefp.exe
4876	uvfllmhhefp.exe
3996	uvfllmhhefp.exe
2004	ticrkxshqkdjyjou.exe
5292	hayrofexkifpixgquddw.exe
1768	jawnixulwsnvmzgoqx.exe
4732	hayrofexkifpixgquddw.exe
4932	uvfllmhhefp.exe
4516	uvfllmhhefp.exe
4544	uvfllmhhefp.exe
3576	jawnixulwsnvmzgoqx.exe
5456	wqpjhzzthgepjzjuzjked.exe
6084	ticrkxshqkdjyjou.exe
5404	uvfllmhhefp.exe
1188	jawnixulwsnvmzgoqx.exe
4404	ticrkxshqkdjyjou.exe
4928	hayrofexkifpixgquddw.exe
4184	uvfllmhhefp.exe
552	wqpjhzzthgepjzjuzjked.exe
1796	uvfllmhhefp.exe
4748	umjbxnldpmirjxforzy.exe
1108	ticrkxshqkdjyjou.exe
5892	uvfllmhhefp.exe
4948	ticrkxshqkdjyjou.exe
2444	aqlbvjfvfaubrdjqr.exe
4340	uvfllmhhefp.exe
5780	umjbxnldpmirjxforzy.exe
5876	jawnixulwsnvmzgoqx.exe
3472	aqlbvjfvfaubrdjqr.exe
5692	hayrofexkifpixgquddw.exe
4160	aqlbvjfvfaubrdjqr.exe
4364	ticrkxshqkdjyjou.exe
2456	aqlbvjfvfaubrdjqr.exe
4900	hayrofexkifpixgquddw.exe
2324	uvfllmhhefp.exe
4812	aqlbvjfvfaubrdjqr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	hmwbkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	hmwbkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	hmwbkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	hmwbkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	hmwbkn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	hmwbkn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jawnixulwsnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfhpyim = "wrfzuqgfvkirjxforza.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnrbmyetz = "yvlhecuvneepjzjuzjmjz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "ticrkxshqkdjyjou.exe ."	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ticrkxshqkdjyjou = "hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "aqlbvjfvfaubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrszhq = "wrfzuqgfvkirjxforza.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdjviwevdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfslfapncqnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jawnixulwsnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "jawnixulwsnvmzgoqx.exe ."	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe ."	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umjbxnldpmirjxforzy.exe ."	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "aqlbvjfvfaubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrszhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlhecuvneepjzjuzjmjz.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbivjyhziqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvhzsmaxlyubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "aqlbvjfvfaubrdjqr.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "hayrofexkifpixgquddw.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqlbvjfvfaubrdjqr = "wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ticrkxshqkdjyjou = "aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "ticrkxshqkdjyjou.exe ."	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hayrofexkifpixgquddw.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ticrkxshqkdjyjou = "ticrkxshqkdjyjou.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "ticrkxshqkdjyjou.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jawnixulwsnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "jawnixulwsnvmzgoqx.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "jawnixulwsnvmzgoqx.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjbxnldpmirjxforzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlbvjfvfaubrdjqr.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwnzpzrdjaqtf = "jawnixulwsnvmzgoqx.exe"	hmwbkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ticrkxshqkdjyjou = "jawnixulwsnvmzgoqx.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ticrkxshqkdjyjou = "umjbxnldpmirjxforzy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lyqdufylskbfsb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqpjhzzthgepjzjuzjked.exe ."	uvfllmhhefp.exe

Checks whether UAC is enabled 1 TTPs 48 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hmwbkn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hmwbkn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hmwbkn.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	www.showmyipaddress.com
43	whatismyipaddress.com
47	whatismyip.everdot.org
66	whatismyip.everdot.org
26	www.whatismyip.ca
30	whatismyip.everdot.org
40	whatismyip.everdot.org
55	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\lwmxmvmxcshjubceabteufudufkaprcjkm.jbm	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\ticrkxshqkdjyjou.exe	hmwbkn.exe
File opened for modification	C:\Windows\SysWOW64\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\yyddhfllfkoffbritjqqvvz.ddx	hmwbkn.exe
File opened for modification	C:\Program Files (x86)\lwmxmvmxcshjubceabteufudufkaprcjkm.jbm	hmwbkn.exe
File created	C:\Program Files (x86)\lwmxmvmxcshjubceabteufudufkaprcjkm.jbm	hmwbkn.exe
File opened for modification	C:\Program Files (x86)\yyddhfllfkoffbritjqqvvz.ddx	hmwbkn.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	hmwbkn.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	hmwbkn.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	hmwbkn.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\yyddhfllfkoffbritjqqvvz.ddx	hmwbkn.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\aqlbvjfvfaubrdjqr.exe	uvfllmhhefp.exe
File created	C:\Windows\yyddhfllfkoffbritjqqvvz.ddx	hmwbkn.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\ticrkxshqkdjyjou.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\niidcvwrggfrmdoagrtooj.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\jawnixulwsnvmzgoqx.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\hayrofexkifpixgquddw.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\umjbxnldpmirjxforzy.exe	hmwbkn.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wqpjhzzthgepjzjuzjked.exe	uvfllmhhefp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrfzuqgfvkirjxforza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvfllmhhefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jawnixulwsnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfuplizzqgfpixgqudfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvhzsmaxlyubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jawnixulwsnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfslfapncqnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jawnixulwsnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqpjhzzthgepjzjuzjked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrfzuqgfvkirjxforza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnyphanjwidjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jawnixulwsnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfslfapncqnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hayrofexkifpixgquddw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umjbxnldpmirjxforzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfslfapncqnvmzgoqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqlbvjfvfaubrdjqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticrkxshqkdjyjou.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1576	hmwbkn.exe
1576	hmwbkn.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1576	hmwbkn.exe
1576	hmwbkn.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	hmwbkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3692	1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe	89
PID 1320 wrote to memory of 3692	1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe	89
PID 1320 wrote to memory of 3692	1320	JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe	89
PID 4648 wrote to memory of 4576	4648	cmd.exe	92
PID 4648 wrote to memory of 4576	4648	cmd.exe	92
PID 4648 wrote to memory of 4576	4648	cmd.exe	92
PID 4708 wrote to memory of 4936	4708	cmd.exe	95
PID 4708 wrote to memory of 4936	4708	cmd.exe	95
PID 4708 wrote to memory of 4936	4708	cmd.exe	95
PID 4936 wrote to memory of 5984	4936	ticrkxshqkdjyjou.exe	96
PID 4936 wrote to memory of 5984	4936	ticrkxshqkdjyjou.exe	96
PID 4936 wrote to memory of 5984	4936	ticrkxshqkdjyjou.exe	96
PID 4336 wrote to memory of 5744	4336	cmd.exe	101
PID 4336 wrote to memory of 5744	4336	cmd.exe	101
PID 4336 wrote to memory of 5744	4336	cmd.exe	101
PID 4808 wrote to memory of 4788	4808	cmd.exe	104
PID 4808 wrote to memory of 4788	4808	cmd.exe	104
PID 4808 wrote to memory of 4788	4808	cmd.exe	104
PID 4776 wrote to memory of 5452	4776	cmd.exe	107
PID 4776 wrote to memory of 5452	4776	cmd.exe	107
PID 4776 wrote to memory of 5452	4776	cmd.exe	107
PID 4788 wrote to memory of 3108	4788	aqlbvjfvfaubrdjqr.exe	108
PID 4788 wrote to memory of 3108	4788	aqlbvjfvfaubrdjqr.exe	108
PID 4788 wrote to memory of 3108	4788	aqlbvjfvfaubrdjqr.exe	108
PID 2992 wrote to memory of 6140	2992	cmd.exe	109
PID 2992 wrote to memory of 6140	2992	cmd.exe	109
PID 2992 wrote to memory of 6140	2992	cmd.exe	109
PID 6140 wrote to memory of 5076	6140	wqpjhzzthgepjzjuzjked.exe	110
PID 6140 wrote to memory of 5076	6140	wqpjhzzthgepjzjuzjked.exe	110
PID 6140 wrote to memory of 5076	6140	wqpjhzzthgepjzjuzjked.exe	110
PID 3200 wrote to memory of 2052	3200	cmd.exe	114
PID 3200 wrote to memory of 2052	3200	cmd.exe	114
PID 3200 wrote to memory of 2052	3200	cmd.exe	114
PID 3976 wrote to memory of 5032	3976	cmd.exe	116
PID 3976 wrote to memory of 5032	3976	cmd.exe	116
PID 3976 wrote to memory of 5032	3976	cmd.exe	116
PID 5032 wrote to memory of 208	5032	hayrofexkifpixgquddw.exe	117
PID 5032 wrote to memory of 208	5032	hayrofexkifpixgquddw.exe	117
PID 5032 wrote to memory of 208	5032	hayrofexkifpixgquddw.exe	117
PID 3692 wrote to memory of 1576	3692	uvfllmhhefp.exe	118
PID 3692 wrote to memory of 1576	3692	uvfllmhhefp.exe	118
PID 3692 wrote to memory of 1576	3692	uvfllmhhefp.exe	118
PID 3692 wrote to memory of 4296	3692	uvfllmhhefp.exe	119
PID 3692 wrote to memory of 4296	3692	uvfllmhhefp.exe	119
PID 3692 wrote to memory of 4296	3692	uvfllmhhefp.exe	119
PID 3948 wrote to memory of 552	3948	cmd.exe	199
PID 3948 wrote to memory of 552	3948	cmd.exe	199
PID 3948 wrote to memory of 552	3948	cmd.exe	199
PID 3380 wrote to memory of 5376	3380	cmd.exe	201
PID 3380 wrote to memory of 5376	3380	cmd.exe	201
PID 3380 wrote to memory of 5376	3380	cmd.exe	201
PID 2268 wrote to memory of 1108	2268	cmd.exe	206
PID 2268 wrote to memory of 1108	2268	cmd.exe	206
PID 2268 wrote to memory of 1108	2268	cmd.exe	206
PID 1480 wrote to memory of 3908	1480	cmd.exe	133
PID 1480 wrote to memory of 3908	1480	cmd.exe	133
PID 1480 wrote to memory of 3908	1480	cmd.exe	133
PID 1108 wrote to memory of 972	1108	jawnixulwsnvmzgoqx.exe	136
PID 1108 wrote to memory of 972	1108	jawnixulwsnvmzgoqx.exe	136
PID 1108 wrote to memory of 972	1108	jawnixulwsnvmzgoqx.exe	136
PID 748 wrote to memory of 2072	748	cmd.exe	141
PID 748 wrote to memory of 2072	748	cmd.exe	141
PID 748 wrote to memory of 2072	748	cmd.exe	141
PID 3908 wrote to memory of 5792	3908	jawnixulwsnvmzgoqx.exe	291

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hmwbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hmwbkn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c8b69b3acb146a63a585e4449073181.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
  "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8c8b69b3acb146a63a585e4449073181.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\hmwbkn.exe
    "C:\Users\Admin\AppData\Local\Temp\hmwbkn.exe" "-C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\hmwbkn.exe
    "C:\Users\Admin\AppData\Local\Temp\hmwbkn.exe" "-C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  - Executes dropped EXE
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    - Executes dropped EXE
    PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  - Executes dropped EXE
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Executes dropped EXE
    PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  - Executes dropped EXE
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    - Executes dropped EXE
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:2468
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  - Executes dropped EXE
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5184
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:2680
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  - Executes dropped EXE
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:856
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Executes dropped EXE
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Executes dropped EXE
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  - Executes dropped EXE
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Executes dropped EXE
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:5576
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:1276
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:5800
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:3956
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    - Executes dropped EXE
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:672
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  - Executes dropped EXE
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Executes dropped EXE
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  - Executes dropped EXE
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:4868
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  - Executes dropped EXE
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:5572
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Executes dropped EXE
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    - Executes dropped EXE
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:4348
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  - Executes dropped EXE
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:2468
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1804
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  - Executes dropped EXE
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3184
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Executes dropped EXE
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    - Executes dropped EXE
    PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:1924
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Executes dropped EXE
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  - Executes dropped EXE
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:6124
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Executes dropped EXE
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:4876
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:4756
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:1060
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4932
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5164
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:3604
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:2008
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:5740
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:5876
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:6116
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:4228
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:5608
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4928
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5192
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:5624
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:6064
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:5592
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1188
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:4640
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:3188
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:4800
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3716
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System policy modification
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5648
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:6052
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:768
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:696
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\yffls.exe
      "C:\Users\Admin\AppData\Local\Temp\yffls.exe" "-C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe"
      4⤵
      PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:6116
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe .
1⤵
PID:3836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5892
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wrfzuqgfvkirjxforza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe
1⤵
PID:392
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe .
1⤵
PID:3940
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:5920
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:516
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:3476
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:2512
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:4156
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System policy modification
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5800
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4800
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:1880
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4952
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:5176
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:1912
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe .
1⤵
PID:2856
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wrfzuqgfvkirjxforza.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:5216
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe .
1⤵
PID:2540
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
1⤵
PID:3960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
1⤵
PID:1824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:4776
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:4964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5444
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:2224
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:4076
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:4308
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:3404
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:2892
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:2008
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:6052
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4976
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:1232
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:1980
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:5980
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4256
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:3472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4160
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:5876
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:2856
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:4540
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:3992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5368
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:4896
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:1480
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5208
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:4092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2456
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:4528
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:5868
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:1708
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:5428
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:5884
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:5696
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:4844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:916
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:4904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:4640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:388
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:3324
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2560
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe
1⤵
PID:2408
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4900
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:1164
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:4732
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:1084
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:2952
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:3204
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:4884
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe
1⤵
PID:2936
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:5404
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe .
1⤵
PID:5080
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5996
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe
1⤵
PID:1264
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:388
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfslfapncqnvmzgoqx.exe .
1⤵
PID:1636
- C:\Windows\lfslfapncqnvmzgoqx.exe
  lfslfapncqnvmzgoqx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\lfslfapncqnvmzgoqx.exe*."
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5252
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe
  C:\Users\Admin\AppData\Local\Temp\wrfzuqgfvkirjxforza.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
1⤵
PID:924
- C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  C:\Users\Admin\AppData\Local\Temp\jfuplizzqgfpixgqudfb.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jawnixulwsnvmzgoqx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:5764
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:856
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:2352
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:5904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3576
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5864
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4544
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5268
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1448
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3020
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:4628
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:5108
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:3976
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:3048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4232

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1084
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:516
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5092
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:2428
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:3048
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:4596
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:2004
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:5444
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  - Checks computer location settings
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  - Checks computer location settings
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:2484
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:1768
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:2936
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:4248
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  - Checks computer location settings
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:1936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5212
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4696
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4340
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:1108
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:5632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5548
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5380
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  - Checks computer location settings
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:5764
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:1020
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4576
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  - Checks computer location settings
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1796
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:3500
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:4736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3816
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:1328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:6136
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:1964
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:4592
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:1908
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vnyphanjwidjyjou.exe .
1⤵
PID:4988
- C:\Windows\vnyphanjwidjyjou.exe
  vnyphanjwidjyjou.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\vnyphanjwidjyjou.exe*."
    3⤵
    PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:3156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:852
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfuplizzqgfpixgqudfb.exe .
1⤵
PID:5560
- C:\Windows\jfuplizzqgfpixgqudfb.exe
  jfuplizzqgfpixgqudfb.exe .
  2⤵
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jfuplizzqgfpixgqudfb.exe*."
    3⤵
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
1⤵
PID:5272
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe .
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\vnyphanjwidjyjou.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\lfslfapncqnvmzgoqx.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:1632
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:1452
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5920
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:4512
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:1460
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:3464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4420
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:5576
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:5196
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:4532
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:1564
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:3968
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:5728
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:5732
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:5176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe .
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:3936
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3188
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:2112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4616
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe .
1⤵
PID:2648
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe .
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:5952
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:3272
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:3380
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:4448
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:5548
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5904
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:6072
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:1444
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:3508
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:380
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:5272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:548
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:5696
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe
1⤵
PID:1920
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:5208
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:4776
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:5660
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4988
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2464
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe .
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\aqlbvjfvfaubrdjqr.exe*."
    3⤵
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe
1⤵
PID:2236
- C:\Windows\aqlbvjfvfaubrdjqr.exe
  aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jawnixulwsnvmzgoqx.exe .
1⤵
PID:4036
- C:\Windows\jawnixulwsnvmzgoqx.exe
  jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvhzsmaxlyubrdjqr.exe
1⤵
PID:1744
- C:\Windows\cvhzsmaxlyubrdjqr.exe
  cvhzsmaxlyubrdjqr.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:3508
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:756
- C:\Windows\yvlhecuvneepjzjuzjmjz.exe
  yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:5984
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:5248
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vnyphanjwidjyjou.exe
1⤵
PID:4084
- C:\Windows\vnyphanjwidjyjou.exe
  vnyphanjwidjyjou.exe
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrfzuqgfvkirjxforza.exe .
1⤵
PID:2864
- C:\Windows\wrfzuqgfvkirjxforza.exe
  wrfzuqgfvkirjxforza.exe .
  2⤵
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wrfzuqgfvkirjxforza.exe*."
    3⤵
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
1⤵
PID:4436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe
  C:\Users\Admin\AppData\Local\Temp\yvlhecuvneepjzjuzjmjz.exe .
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\yvlhecuvneepjzjuzjmjz.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
1⤵
PID:3184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\vnyphanjwidjyjou.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\cvhzsmaxlyubrdjqr.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\cvhzsmaxlyubrdjqr.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:5684
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe .
1⤵
PID:4224
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe .
  2⤵
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wqpjhzzthgepjzjuzjked.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:2748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1264
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:1824
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:2804
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe .
1⤵
PID:3516
- C:\Windows\ticrkxshqkdjyjou.exe
  ticrkxshqkdjyjou.exe .
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\ticrkxshqkdjyjou.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:828
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5904
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hayrofexkifpixgquddw.exe
1⤵
PID:2204
- C:\Windows\hayrofexkifpixgquddw.exe
  hayrofexkifpixgquddw.exe
  2⤵
  PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe
  C:\Users\Admin\AppData\Local\Temp\umjbxnldpmirjxforzy.exe .
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqlbvjfvfaubrdjqr.exe .
1⤵
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  C:\Users\Admin\AppData\Local\Temp\ticrkxshqkdjyjou.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4040
- C:\Windows\wqpjhzzthgepjzjuzjked.exe
  wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  C:\Users\Admin\AppData\Local\Temp\wqpjhzzthgepjzjuzjked.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c umjbxnldpmirjxforzy.exe .
1⤵
PID:4720
- C:\Windows\umjbxnldpmirjxforzy.exe
  umjbxnldpmirjxforzy.exe .
  2⤵
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\umjbxnldpmirjxforzy.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jawnixulwsnvmzgoqx.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe .
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  C:\Users\Admin\AppData\Local\Temp\jawnixulwsnvmzgoqx.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\hayrofexkifpixgquddw.exe*."
    3⤵
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  C:\Users\Admin\AppData\Local\Temp\aqlbvjfvfaubrdjqr.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
1⤵
PID:720
- C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe
  C:\Users\Admin\AppData\Local\Temp\hayrofexkifpixgquddw.exe .
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ticrkxshqkdjyjou.exe
1⤵
PID:5176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry