pykspa | 8c97f3444942fcd1aa8d2e9b343b6168d3743302b1c8625d22679fc18490fecc

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvfllmhhefp.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 32 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	knbdko.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0006000000021e21-4.dat	family_pykspa
behavioral2/files/0x00070000000242ec-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "zrulhatukjuoeozeoskne.exe"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "mbbpiyomzvduhowyfg.exe"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "mbbpiyomzvduhowyfg.exe"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "wjhtkymitntityee.exe"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzszluduapq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbbpiyomzvduhowyfg.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozvfugsmvnrenq = "xnodxofespyqemvygiy.exe"	knbdko.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
64	1172	Process not Found
70	1172	Process not Found
84	1172	Process not Found
87	5708	Process not Found
88	5708	Process not Found
89	5708	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	uvfllmhhefp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mbbpiyomzvduhowyfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wjhtkymitntityee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	xnodxofespyqemvygiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	drqdvkzwidkamszag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kbdtogyynlvodmwajmdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	zrulhatukjuoeozeoskne.exe

Executes dropped EXE 64 IoCs

pid	Process
5980	uvfllmhhefp.exe
4712	mbbpiyomzvduhowyfg.exe
5880	zrulhatukjuoeozeoskne.exe
1756	uvfllmhhefp.exe
5416	zrulhatukjuoeozeoskne.exe
4940	mbbpiyomzvduhowyfg.exe
4508	zrulhatukjuoeozeoskne.exe
5440	uvfllmhhefp.exe
5256	zrulhatukjuoeozeoskne.exe
4336	uvfllmhhefp.exe
3708	zrulhatukjuoeozeoskne.exe
1552	wjhtkymitntityee.exe
5368	uvfllmhhefp.exe
2844	knbdko.exe
1588	knbdko.exe
3572	wjhtkymitntityee.exe
2428	zrulhatukjuoeozeoskne.exe
1172	drqdvkzwidkamszag.exe
2400	zrulhatukjuoeozeoskne.exe
5960	uvfllmhhefp.exe
1984	uvfllmhhefp.exe
5560	zrulhatukjuoeozeoskne.exe
5572	kbdtogyynlvodmwajmdf.exe
1940	xnodxofespyqemvygiy.exe
2492	xnodxofespyqemvygiy.exe
5264	uvfllmhhefp.exe
3628	kbdtogyynlvodmwajmdf.exe
1708	uvfllmhhefp.exe
3092	zrulhatukjuoeozeoskne.exe
4528	mbbpiyomzvduhowyfg.exe
4496	drqdvkzwidkamszag.exe
4796	uvfllmhhefp.exe
4672	uvfllmhhefp.exe
2060	wjhtkymitntityee.exe
5628	drqdvkzwidkamszag.exe
5352	wjhtkymitntityee.exe
6008	zrulhatukjuoeozeoskne.exe
3616	uvfllmhhefp.exe
4772	mbbpiyomzvduhowyfg.exe
4248	uvfllmhhefp.exe
4980	mbbpiyomzvduhowyfg.exe
4680	uvfllmhhefp.exe
1508	kbdtogyynlvodmwajmdf.exe
1800	xnodxofespyqemvygiy.exe
1976	mbbpiyomzvduhowyfg.exe
1644	uvfllmhhefp.exe
1996	kbdtogyynlvodmwajmdf.exe
1584	uvfllmhhefp.exe
2052	xnodxofespyqemvygiy.exe
5564	drqdvkzwidkamszag.exe
3420	uvfllmhhefp.exe
1936	xnodxofespyqemvygiy.exe
4208	xnodxofespyqemvygiy.exe
3028	uvfllmhhefp.exe
5980	mbbpiyomzvduhowyfg.exe
3628	wjhtkymitntityee.exe
4320	kbdtogyynlvodmwajmdf.exe
4988	xnodxofespyqemvygiy.exe
3040	wjhtkymitntityee.exe
4888	uvfllmhhefp.exe
3080	wjhtkymitntityee.exe
4636	wjhtkymitntityee.exe
4752	uvfllmhhefp.exe
5292	wjhtkymitntityee.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	knbdko.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	knbdko.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	knbdko.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	knbdko.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	knbdko.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	knbdko.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "zrulhatukjuoeozeoskne.exe ."	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "zrulhatukjuoeozeoskne.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "kbdtogyynlvodmwajmdf.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "drqdvkzwidkamszag.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "zrulhatukjuoeozeoskne.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "xnodxofespyqemvygiy.exe ."	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "drqdvkzwidkamszag.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "kbdtogyynlvodmwajmdf.exe ."	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "zrulhatukjuoeozeoskne.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\drqdvkzwidkamszag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbbpiyomzvduhowyfg.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "mbbpiyomzvduhowyfg.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\drqdvkzwidkamszag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drqdvkzwidkamszag.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "kbdtogyynlvodmwajmdf.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "wjhtkymitntityee.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "kbdtogyynlvodmwajmdf.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbbpiyomzvduhowyfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\drqdvkzwidkamszag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "wjhtkymitntityee.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "mbbpiyomzvduhowyfg.exe ."	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\drqdvkzwidkamszag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "mbbpiyomzvduhowyfg.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "zrulhatukjuoeozeoskne.exe ."	knbdko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "zrulhatukjuoeozeoskne.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnodxofespyqemvygiy.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "drqdvkzwidkamszag.exe ."	knbdko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxsbpalemdgsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbbpiyomzvduhowyfg.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wjhtkymitntityee = "wjhtkymitntityee.exe ."	uvfllmhhefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdalbobwgzescgl = "mbbpiyomzvduhowyfg.exe"	uvfllmhhefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxrzmwgyfvxi = "kbdtogyynlvodmwajmdf.exe"	uvfllmhhefp.exe

Checks whether UAC is enabled 1 TTPs 46 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvfllmhhefp.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	knbdko.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	whatismyip.everdot.org
31	whatismyipaddress.com
39	whatismyip.everdot.org
44	www.whatismyip.ca
48	www.showmyipaddress.com
60	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityeejivtfwkyufzfufkqqvuhfr.wkg	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File created	C:\Windows\SysWOW64\zbopvybmmvquuojysgivwcfittc.bbv	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zbopvybmmvquuojysgivwcfittc.bbv	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	knbdko.exe
File opened for modification	C:\Windows\SysWOW64\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\SysWOW64\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\zbopvybmmvquuojysgivwcfittc.bbv	knbdko.exe
File opened for modification	C:\Program Files (x86)\wjhtkymitntityeejivtfwkyufzfufkqqvuhfr.wkg	knbdko.exe
File created	C:\Program Files (x86)\wjhtkymitntityeejivtfwkyufzfufkqqvuhfr.wkg	knbdko.exe
File opened for modification	C:\Program Files (x86)\zbopvybmmvquuojysgivwcfittc.bbv	knbdko.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	knbdko.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	knbdko.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	knbdko.exe
File opened for modification	C:\Windows\wjhtkymitntityeejivtfwkyufzfufkqqvuhfr.wkg	knbdko.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	knbdko.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	knbdko.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\wjhtkymitntityee.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\kbdtogyynlvodmwajmdf.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	knbdko.exe
File opened for modification	C:\Windows\xnodxofespyqemvygiy.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\zrulhatukjuoeozeoskne.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\drqdvkzwidkamszag.exe	knbdko.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\mbbpiyomzvduhowyfg.exe	uvfllmhhefp.exe
File opened for modification	C:\Windows\qjnfcwqsjjvqhsekvatxpm.exe	knbdko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdtogyynlvodmwajmdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhtkymitntityee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnodxofespyqemvygiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrulhatukjuoeozeoskne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbpiyomzvduhowyfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drqdvkzwidkamszag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
2844	knbdko.exe
2844	knbdko.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
2844	knbdko.exe
2844	knbdko.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	knbdko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 5980	3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe	88
PID 3068 wrote to memory of 5980	3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe	88
PID 3068 wrote to memory of 5980	3068	JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe	88
PID 4828 wrote to memory of 4712	4828	cmd.exe	91
PID 4828 wrote to memory of 4712	4828	cmd.exe	91
PID 4828 wrote to memory of 4712	4828	cmd.exe	91
PID 2444 wrote to memory of 5880	2444	cmd.exe	94
PID 2444 wrote to memory of 5880	2444	cmd.exe	94
PID 2444 wrote to memory of 5880	2444	cmd.exe	94
PID 5880 wrote to memory of 1756	5880	zrulhatukjuoeozeoskne.exe	97
PID 5880 wrote to memory of 1756	5880	zrulhatukjuoeozeoskne.exe	97
PID 5880 wrote to memory of 1756	5880	zrulhatukjuoeozeoskne.exe	97
PID 4796 wrote to memory of 5416	4796	cmd.exe	100
PID 4796 wrote to memory of 5416	4796	cmd.exe	100
PID 4796 wrote to memory of 5416	4796	cmd.exe	100
PID 4764 wrote to memory of 4940	4764	cmd.exe	103
PID 4764 wrote to memory of 4940	4764	cmd.exe	103
PID 4764 wrote to memory of 4940	4764	cmd.exe	103
PID 5488 wrote to memory of 4508	5488	cmd.exe	106
PID 5488 wrote to memory of 4508	5488	cmd.exe	106
PID 5488 wrote to memory of 4508	5488	cmd.exe	106
PID 4940 wrote to memory of 5440	4940	mbbpiyomzvduhowyfg.exe	107
PID 4940 wrote to memory of 5440	4940	mbbpiyomzvduhowyfg.exe	107
PID 4940 wrote to memory of 5440	4940	mbbpiyomzvduhowyfg.exe	107
PID 4996 wrote to memory of 5256	4996	cmd.exe	108
PID 4996 wrote to memory of 5256	4996	cmd.exe	108
PID 4996 wrote to memory of 5256	4996	cmd.exe	108
PID 5256 wrote to memory of 4336	5256	zrulhatukjuoeozeoskne.exe	109
PID 5256 wrote to memory of 4336	5256	zrulhatukjuoeozeoskne.exe	109
PID 5256 wrote to memory of 4336	5256	zrulhatukjuoeozeoskne.exe	109
PID 1004 wrote to memory of 3708	1004	cmd.exe	114
PID 1004 wrote to memory of 3708	1004	cmd.exe	114
PID 1004 wrote to memory of 3708	1004	cmd.exe	114
PID 744 wrote to memory of 1552	744	cmd.exe	115
PID 744 wrote to memory of 1552	744	cmd.exe	115
PID 744 wrote to memory of 1552	744	cmd.exe	115
PID 1552 wrote to memory of 5368	1552	wjhtkymitntityee.exe	116
PID 1552 wrote to memory of 5368	1552	wjhtkymitntityee.exe	116
PID 1552 wrote to memory of 5368	1552	wjhtkymitntityee.exe	116
PID 5980 wrote to memory of 2844	5980	uvfllmhhefp.exe	117
PID 5980 wrote to memory of 2844	5980	uvfllmhhefp.exe	117
PID 5980 wrote to memory of 2844	5980	uvfllmhhefp.exe	117
PID 5980 wrote to memory of 1588	5980	uvfllmhhefp.exe	118
PID 5980 wrote to memory of 1588	5980	uvfllmhhefp.exe	118
PID 5980 wrote to memory of 1588	5980	uvfllmhhefp.exe	118
PID 2948 wrote to memory of 3572	2948	cmd.exe	123
PID 2948 wrote to memory of 3572	2948	cmd.exe	123
PID 2948 wrote to memory of 3572	2948	cmd.exe	123
PID 5564 wrote to memory of 2428	5564	cmd.exe	202
PID 5564 wrote to memory of 2428	5564	cmd.exe	202
PID 5564 wrote to memory of 2428	5564	cmd.exe	202
PID 1416 wrote to memory of 1172	1416	cmd.exe	129
PID 1416 wrote to memory of 1172	1416	cmd.exe	129
PID 1416 wrote to memory of 1172	1416	cmd.exe	129
PID 3128 wrote to memory of 2400	3128	cmd.exe	130
PID 3128 wrote to memory of 2400	3128	cmd.exe	130
PID 3128 wrote to memory of 2400	3128	cmd.exe	130
PID 1172 wrote to memory of 5960	1172	drqdvkzwidkamszag.exe	135
PID 1172 wrote to memory of 5960	1172	drqdvkzwidkamszag.exe	135
PID 1172 wrote to memory of 5960	1172	drqdvkzwidkamszag.exe	135
PID 2400 wrote to memory of 1984	2400	zrulhatukjuoeozeoskne.exe	139
PID 2400 wrote to memory of 1984	2400	zrulhatukjuoeozeoskne.exe	139
PID 2400 wrote to memory of 1984	2400	zrulhatukjuoeozeoskne.exe	139
PID 4108 wrote to memory of 5560	4108	cmd.exe	141

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	knbdko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	knbdko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvfllmhhefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvfllmhhefp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ef2d07270653f6f7e52dd62aaed819b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
  "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8ef2d07270653f6f7e52dd62aaed819b.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\knbdko.exe
    "C:\Users\Admin\AppData\Local\Temp\knbdko.exe" "-C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\knbdko.exe
    "C:\Users\Admin\AppData\Local\Temp\knbdko.exe" "-C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Executes dropped EXE
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  - Executes dropped EXE
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Executes dropped EXE
    PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5488
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  - Executes dropped EXE
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Executes dropped EXE
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  - Executes dropped EXE
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  - Executes dropped EXE
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5564
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    - Executes dropped EXE
    PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Executes dropped EXE
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  - Executes dropped EXE
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:4168
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:2288
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:1736
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  - Executes dropped EXE
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Executes dropped EXE
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  - Executes dropped EXE
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  - Executes dropped EXE
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Executes dropped EXE
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Executes dropped EXE
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:5764
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  - Executes dropped EXE
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:5268
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Executes dropped EXE
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:3660
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  - Executes dropped EXE
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:1400
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  - Executes dropped EXE
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    - Executes dropped EXE
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:3856
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  - Executes dropped EXE
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:1344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:4456
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  - Executes dropped EXE
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:6000
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:5480
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  - Executes dropped EXE
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:2532
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:228
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  - Executes dropped EXE
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1708
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  - Executes dropped EXE
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  - Executes dropped EXE
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    - Executes dropped EXE
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:860
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:4816
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:4512
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:4508
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:5700
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4864
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:3044
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:4324
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3368
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5480
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:5224
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1420
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5936
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:4980
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:980
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5712
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:2140
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5704
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4252
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1736
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:2532
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:4424
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4560
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4508
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1724
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:2684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4124
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:5168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4056
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:3384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5860
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:972
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:5712
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:5812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6136
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:1412
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5088
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:4196
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:924
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:2508
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:4652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5924
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:3064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2748
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5552
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:6020
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:556
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3448
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:4696
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:4612
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:704
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4624
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:5080
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:1236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:3788
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4792
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:5680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5864
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:5628
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4984
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:5028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1016
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:5068
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:1820
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1968
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:3900
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:3620
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:5260
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:5364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:4576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:5168
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:1284
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:3128
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:3324
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:2316
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:5292
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1096
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4300
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1968
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:3620
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:2276
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:6128
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1808
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:4880
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:4660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5136
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:2012
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:536
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:5248
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:860
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:4676
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:4556
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4512
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:1060
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:3196
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:2128
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:640
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:6040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2412
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:3924
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:776
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3764
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:2532
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:2972
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  - Checks computer location settings
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5292
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:4076
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:4688
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:3184
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:2644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:2492
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:1272
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  - Checks computer location settings
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3472
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:5036
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3904
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4556
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:864
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:2572
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:5352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  - Checks computer location settings
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:704
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:5752
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4968
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:5260
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4640
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:4724
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:5476
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:2872
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3040
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:4408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:3044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:4832
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3264
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:5388
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:2920
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:2644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4708
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:5384
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:3100
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5300
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:1704
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:1124
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1076
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1800
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:4676
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:5468
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3960
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:1236
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:4772
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:2460
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1072
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3368
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:3524
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4936
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:2380
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:2420
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:2972
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3240
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:3472
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1836
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:4744
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:2204
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:4392
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:972
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:3160
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:5584
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:3384
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:3040
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:3336
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:3660
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:3360
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:4584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1124
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1060
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:4740
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:3484
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:5324
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:2696
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:2472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:396
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:5336
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:4536
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4680
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe .
  2⤵
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\drqdvkzwidkamszag.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:2580
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:2280
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:4208
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:6088
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
1⤵
PID:1968
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe .
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:5064
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:2472
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe
1⤵
PID:2848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4736
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4844
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:5968
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:4108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4948
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:3000
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:4968
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe
  C:\Users\Admin\AppData\Local\Temp\zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:6044
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:4624
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:5292
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:2356
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:64
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:704
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5272
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:5828
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe .
1⤵
PID:4920
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\zrulhatukjuoeozeoskne.exe*."
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:2288
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wjhtkymitntityee.exe .
1⤵
PID:1756
- C:\Windows\wjhtkymitntityee.exe
  wjhtkymitntityee.exe .
  2⤵
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\wjhtkymitntityee.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  C:\Users\Admin\AppData\Local\Temp\xnodxofespyqemvygiy.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
1⤵
PID:1784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5844
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\kbdtogyynlvodmwajmdf.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:5628
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:2588
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:3008
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe
1⤵
PID:5560
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe .
1⤵
PID:5712
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\drqdvkzwidkamszag.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:4208
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  C:\Users\Admin\AppData\Local\Temp\kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe
  C:\Users\Admin\AppData\Local\Temp\wjhtkymitntityee.exe .
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\users\admin\appdata\local\temp\wjhtkymitntityee.exe*."
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:536
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:4760
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\xnodxofespyqemvygiy.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:3384
- C:\Windows\zrulhatukjuoeozeoskne.exe
  zrulhatukjuoeozeoskne.exe
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe
1⤵
PID:1764
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drqdvkzwidkamszag.exe
1⤵
PID:1968
- C:\Windows\drqdvkzwidkamszag.exe
  drqdvkzwidkamszag.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe .
1⤵
PID:5080
- C:\Windows\mbbpiyomzvduhowyfg.exe
  mbbpiyomzvduhowyfg.exe .
  2⤵
  PID:608
- - C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe
    "C:\Users\Admin\AppData\Local\Temp\uvfllmhhefp.exe" "c:\windows\mbbpiyomzvduhowyfg.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:704
- C:\Windows\xnodxofespyqemvygiy.exe
  xnodxofespyqemvygiy.exe .
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbdtogyynlvodmwajmdf.exe .
1⤵
PID:5232
- C:\Windows\kbdtogyynlvodmwajmdf.exe
  kbdtogyynlvodmwajmdf.exe .
  2⤵
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrulhatukjuoeozeoskne.exe
1⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drqdvkzwidkamszag.exe
1⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbbpiyomzvduhowyfg.exe .
1⤵
PID:1556
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xnodxofespyqemvygiy.exe .
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mbbpiyomzvduhowyfg.exe
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry