pykspa | f61f89ee6617b8121558c3d2d87e0154413eaffb047d24d34c18d688b461fabd

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0008000000024339-4.dat	family_pykspa
behavioral2/files/0x0008000000024340-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "dsidugeskxsjcsmon.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsidugeskxsjcsmon.exe"	xcitacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcitacq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "xogdwkkaujgzumimnvb.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "zsmlgwyqmdcxuomsvfnga.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wenblqhozf = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
39	3144	Process not Found
42	5268	Process not Found
43	5268	Process not Found
52	5564	Process not Found
54	3144	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sdqaokddcna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zsmlgwyqmdcxuomsvfnga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kcvtncdupfdxtmjoqzgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dsidugeskxsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xogdwkkaujgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mctphutibpldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wkztjurevhbrjyrs.exe

Executes dropped EXE 64 IoCs

pid	Process
5436	sdqaokddcna.exe
4828	zsmlgwyqmdcxuomsvfnga.exe
4888	xogdwkkaujgzumimnvb.exe
2780	zsmlgwyqmdcxuomsvfnga.exe
4632	sdqaokddcna.exe
540	kcvtncdupfdxtmjoqzgy.exe
1832	mctphutibpldxojmmt.exe
1260	xogdwkkaujgzumimnvb.exe
5392	sdqaokddcna.exe
3124	sdqaokddcna.exe
2144	kcvtncdupfdxtmjoqzgy.exe
2676	mctphutibpldxojmmt.exe
5540	sdqaokddcna.exe
4204	xcitacq.exe
3912	xcitacq.exe
4172	wkztjurevhbrjyrs.exe
3856	mctphutibpldxojmmt.exe
5480	zsmlgwyqmdcxuomsvfnga.exe
1692	kcvtncdupfdxtmjoqzgy.exe
2284	sdqaokddcna.exe
4480	sdqaokddcna.exe
4648	wkztjurevhbrjyrs.exe
5216	zsmlgwyqmdcxuomsvfnga.exe
2912	kcvtncdupfdxtmjoqzgy.exe
4792	zsmlgwyqmdcxuomsvfnga.exe
1928	wkztjurevhbrjyrs.exe
3968	xogdwkkaujgzumimnvb.exe
2716	zsmlgwyqmdcxuomsvfnga.exe
964	dsidugeskxsjcsmon.exe
540	dsidugeskxsjcsmon.exe
2848	dsidugeskxsjcsmon.exe
5320	mctphutibpldxojmmt.exe
1260	sdqaokddcna.exe
3832	mctphutibpldxojmmt.exe
1624	sdqaokddcna.exe
3588	xogdwkkaujgzumimnvb.exe
3020	sdqaokddcna.exe
3492	sdqaokddcna.exe
3940	sdqaokddcna.exe
1244	sdqaokddcna.exe
1836	xogdwkkaujgzumimnvb.exe
4284	kcvtncdupfdxtmjoqzgy.exe
1628	xogdwkkaujgzumimnvb.exe
5068	kcvtncdupfdxtmjoqzgy.exe
5304	zsmlgwyqmdcxuomsvfnga.exe
5312	sdqaokddcna.exe
2232	sdqaokddcna.exe
2380	wkztjurevhbrjyrs.exe
5208	sdqaokddcna.exe
5264	zsmlgwyqmdcxuomsvfnga.exe
516	sdqaokddcna.exe
1604	kcvtncdupfdxtmjoqzgy.exe
5324	kcvtncdupfdxtmjoqzgy.exe
3352	dsidugeskxsjcsmon.exe
624	wkztjurevhbrjyrs.exe
1456	sdqaokddcna.exe
3404	dsidugeskxsjcsmon.exe
5556	zsmlgwyqmdcxuomsvfnga.exe
4724	dsidugeskxsjcsmon.exe
3472	mctphutibpldxojmmt.exe
4588	sdqaokddcna.exe
6076	sdqaokddcna.exe
5648	sdqaokddcna.exe
1728	mctphutibpldxojmmt.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	xcitacq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	xcitacq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	xcitacq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	xcitacq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	xcitacq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	xcitacq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "wkztjurevhbrjyrs.exe"	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsidugeskxsjcsmon.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "dsidugeskxsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rakzkqiqcjy = "kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "dsidugeskxsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "dsidugeskxsjcsmon.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "dsidugeskxsjcsmon.exe"	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rakzkqiqcjy = "wkztjurevhbrjyrs.exe"	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "zsmlgwyqmdcxuomsvfnga.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "mctphutibpldxojmmt.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "dsidugeskxsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "xogdwkkaujgzumimnvb.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsidugeskxsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "dsidugeskxsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "kcvtncdupfdxtmjoqzgy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "xogdwkkaujgzumimnvb.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcvtncdupfdxtmjoqzgy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "kcvtncdupfdxtmjoqzgy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rakzkqiqcjy = "xogdwkkaujgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "wkztjurevhbrjyrs.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "xogdwkkaujgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mszltwlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "wkztjurevhbrjyrs.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rakzkqiqcjy = "zsmlgwyqmdcxuomsvfnga.exe"	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe"	xcitacq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mctphutibpldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "kcvtncdupfdxtmjoqzgy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "zsmlgwyqmdcxuomsvfnga.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyjzlsluhpfr = "dsidugeskxsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rakzkqiqcjy = "wkztjurevhbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dksfosioy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nykbowqaoxobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xogdwkkaujgzumimnvb.exe ."	xcitacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oanftcxixhzndq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmlgwyqmdcxuomsvfnga.exe"	sdqaokddcna.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xcitacq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xcitacq.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	www.whatismyip.ca
31	www.showmyipaddress.com
55	www.whatismyip.ca
23	whatismyipaddress.com
29	whatismyip.everdot.org
34	www.whatismyip.ca
35	whatismyip.everdot.org
47	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\nykbowqaoxobqcsqlnnykbowqaoxobqcsql.nyk	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\zsmlgwyqmdcxuomsvfnga.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xogdwkkaujgzumimnvb.exe	xcitacq.exe
File opened for modification	C:\Windows\SysWOW64\mctphutibpldxojmmt.exe	sdqaokddcna.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\eeflnktsvtzbfglyizoopvxu.cfd	xcitacq.exe
File created	C:\Program Files (x86)\eeflnktsvtzbfglyizoopvxu.cfd	xcitacq.exe
File opened for modification	C:\Program Files (x86)\nykbowqaoxobqcsqlnnykbowqaoxobqcsql.nyk	xcitacq.exe
File created	C:\Program Files (x86)\nykbowqaoxobqcsqlnnykbowqaoxobqcsql.nyk	xcitacq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	xcitacq.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	xcitacq.exe
File opened for modification	C:\Windows\nykbowqaoxobqcsqlnnykbowqaoxobqcsql.nyk	xcitacq.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	xcitacq.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	xcitacq.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	xcitacq.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mctphutibpldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	xcitacq.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	xcitacq.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\zsmlgwyqmdcxuomsvfnga.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xogdwkkaujgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qkffbsvolddzxsrycnwqll.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	xcitacq.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	xcitacq.exe
File opened for modification	C:\Windows\wkztjurevhbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kcvtncdupfdxtmjoqzgy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dsidugeskxsjcsmon.exe	sdqaokddcna.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdqaokddcna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsidugeskxsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkztjurevhbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogdwkkaujgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcvtncdupfdxtmjoqzgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mctphutibpldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsmlgwyqmdcxuomsvfnga.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
4204	xcitacq.exe
4204	xcitacq.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	xcitacq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 5436	772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe	90
PID 772 wrote to memory of 5436	772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe	90
PID 772 wrote to memory of 5436	772	JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe	90
PID 4736 wrote to memory of 4828	4736	cmd.exe	94
PID 4736 wrote to memory of 4828	4736	cmd.exe	94
PID 4736 wrote to memory of 4828	4736	cmd.exe	94
PID 1224 wrote to memory of 4888	1224	cmd.exe	97
PID 1224 wrote to memory of 4888	1224	cmd.exe	97
PID 1224 wrote to memory of 4888	1224	cmd.exe	97
PID 1392 wrote to memory of 2780	1392	cmd.exe	102
PID 1392 wrote to memory of 2780	1392	cmd.exe	102
PID 1392 wrote to memory of 2780	1392	cmd.exe	102
PID 4888 wrote to memory of 4632	4888	xogdwkkaujgzumimnvb.exe	103
PID 4888 wrote to memory of 4632	4888	xogdwkkaujgzumimnvb.exe	103
PID 4888 wrote to memory of 4632	4888	xogdwkkaujgzumimnvb.exe	103
PID 2928 wrote to memory of 540	2928	cmd.exe	175
PID 2928 wrote to memory of 540	2928	cmd.exe	175
PID 2928 wrote to memory of 540	2928	cmd.exe	175
PID 1052 wrote to memory of 1832	1052	cmd.exe	109
PID 1052 wrote to memory of 1832	1052	cmd.exe	109
PID 1052 wrote to memory of 1832	1052	cmd.exe	109
PID 3824 wrote to memory of 1260	3824	cmd.exe	179
PID 3824 wrote to memory of 1260	3824	cmd.exe	179
PID 3824 wrote to memory of 1260	3824	cmd.exe	179
PID 540 wrote to memory of 5392	540	kcvtncdupfdxtmjoqzgy.exe	113
PID 540 wrote to memory of 5392	540	kcvtncdupfdxtmjoqzgy.exe	113
PID 540 wrote to memory of 5392	540	kcvtncdupfdxtmjoqzgy.exe	113
PID 1260 wrote to memory of 3124	1260	xogdwkkaujgzumimnvb.exe	116
PID 1260 wrote to memory of 3124	1260	xogdwkkaujgzumimnvb.exe	116
PID 1260 wrote to memory of 3124	1260	xogdwkkaujgzumimnvb.exe	116
PID 2216 wrote to memory of 2144	2216	cmd.exe	117
PID 2216 wrote to memory of 2144	2216	cmd.exe	117
PID 2216 wrote to memory of 2144	2216	cmd.exe	117
PID 5620 wrote to memory of 2676	5620	cmd.exe	283
PID 5620 wrote to memory of 2676	5620	cmd.exe	283
PID 5620 wrote to memory of 2676	5620	cmd.exe	283
PID 2676 wrote to memory of 5540	2676	mctphutibpldxojmmt.exe	119
PID 2676 wrote to memory of 5540	2676	mctphutibpldxojmmt.exe	119
PID 2676 wrote to memory of 5540	2676	mctphutibpldxojmmt.exe	119
PID 5436 wrote to memory of 4204	5436	sdqaokddcna.exe	120
PID 5436 wrote to memory of 4204	5436	sdqaokddcna.exe	120
PID 5436 wrote to memory of 4204	5436	sdqaokddcna.exe	120
PID 5436 wrote to memory of 3912	5436	sdqaokddcna.exe	121
PID 5436 wrote to memory of 3912	5436	sdqaokddcna.exe	121
PID 5436 wrote to memory of 3912	5436	sdqaokddcna.exe	121
PID 1772 wrote to memory of 4172	1772	cmd.exe	128
PID 1772 wrote to memory of 4172	1772	cmd.exe	128
PID 1772 wrote to memory of 4172	1772	cmd.exe	128
PID 1860 wrote to memory of 3856	1860	cmd.exe	129
PID 1860 wrote to memory of 3856	1860	cmd.exe	129
PID 1860 wrote to memory of 3856	1860	cmd.exe	129
PID 2640 wrote to memory of 5480	2640	cmd.exe	134
PID 2640 wrote to memory of 5480	2640	cmd.exe	134
PID 2640 wrote to memory of 5480	2640	cmd.exe	134
PID 6096 wrote to memory of 1692	6096	cmd.exe	136
PID 6096 wrote to memory of 1692	6096	cmd.exe	136
PID 6096 wrote to memory of 1692	6096	cmd.exe	136
PID 5480 wrote to memory of 2284	5480	zsmlgwyqmdcxuomsvfnga.exe	334
PID 5480 wrote to memory of 2284	5480	zsmlgwyqmdcxuomsvfnga.exe	334
PID 5480 wrote to memory of 2284	5480	zsmlgwyqmdcxuomsvfnga.exe	334
PID 1692 wrote to memory of 4480	1692	kcvtncdupfdxtmjoqzgy.exe	155
PID 1692 wrote to memory of 4480	1692	kcvtncdupfdxtmjoqzgy.exe	155
PID 1692 wrote to memory of 4480	1692	kcvtncdupfdxtmjoqzgy.exe	155
PID 220 wrote to memory of 4648	220	cmd.exe	386

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xcitacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xcitacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xcitacq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xcitacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xcitacq.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
  "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8f5573f964d57bc8a4c6ef938d9fda50.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\xcitacq.exe
    "C:\Users\Admin\AppData\Local\Temp\xcitacq.exe" "-C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4204
- - C:\Users\Admin\AppData\Local\Temp\xcitacq.exe
    "C:\Users\Admin\AppData\Local\Temp\xcitacq.exe" "-C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5620
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:6096
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:704
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  - Executes dropped EXE
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:1600
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  - Executes dropped EXE
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    - Executes dropped EXE
    PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5960
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Executes dropped EXE
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  - Executes dropped EXE
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:4540
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:2920
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:5064
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Executes dropped EXE
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:2816
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:2468
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5484
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Executes dropped EXE
    PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:6080
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  - Executes dropped EXE
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5632
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:4508
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:4532
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:2480
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:612
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Executes dropped EXE
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:1928
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:1076
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5968
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4316
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3588
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:3896
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:5544
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5124
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:1388
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2344
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1604
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:4568
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4532
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:6104
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:1772
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:1912
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:5944
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2972
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:3244
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:5216
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3728
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:1268
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1388
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3236
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:856
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:1496
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4648
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5580
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4472
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2656
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:2676
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:3368
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5264
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:1140
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5112
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:5540
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:4448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:624
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:5740
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:3116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:5608
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1088
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:5000
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:5548
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:5588
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:3576
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2580
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:1832
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:5876
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:744
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:1852
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:3200
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:3196
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:4260
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:5684
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4828
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4616
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:2224
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:3968
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:1572
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:552
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:1228
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:4360
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:3948
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:1988
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:2592
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:6036
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:464
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4516
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2816
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5196

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:2008
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:5688
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4020
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:5720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5140
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3676
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:4244
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:2724
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:5820
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:3028
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:4080
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:704
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4264
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:3020
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1456
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5184
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4376
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:1972
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:2120
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:1228
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:2276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:1496
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:5344
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:6088
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:1756
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:540
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5200
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5612
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:1088
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:388
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:3596
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:3920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5436
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:2884
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:5704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:744
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5412
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:2640
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:5684
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:2716
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:536
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:5380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1368
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:3564
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:1952
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:5540
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:5836
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:6096
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:2336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3200
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:5220
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:1960
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5948
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:1904
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:220
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4664
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:932
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:1832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1076
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:4148
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:4508
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:2144
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5256
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5324
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5224
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:1372
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:5220
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:3352
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:4892
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:6096
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1208
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:6088
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:4272
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:3792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:2852
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:3528
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5704
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:548
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:3928
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:1596
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:2428
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:2148
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5216
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:1576
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1740
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1348
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:2732
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5532
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:1812
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:4600
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:2624
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:4744
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:1416
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:1572
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:2276
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:4332
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:5280
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:5508
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5436
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:4560
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:4464
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:3260
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4604
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:5324
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:5440
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:4484
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5532
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:2588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:3288
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:6072
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:5376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:4884
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:1860
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:4844
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3144
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3304
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5436
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe
1⤵
PID:5060
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:3796
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:4600
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:3368
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:2788
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:1076
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:6088
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3248
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1744
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
1⤵
PID:2432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:4720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:540
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:5364
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:4852
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:5732
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4452
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:4556
- C:\Windows\kcvtncdupfdxtmjoqzgy.exe
  kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kcvtncdupfdxtmjoqzgy.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:5968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3200
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe .
1⤵
PID:1836
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe .
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:5896
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:5764
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5220
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:1416
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dsidugeskxsjcsmon.exe*."
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2644
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wkztjurevhbrjyrs.exe .
1⤵
PID:1988
- C:\Windows\wkztjurevhbrjyrs.exe
  wkztjurevhbrjyrs.exe .
  2⤵
  PID:5688
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wkztjurevhbrjyrs.exe*."
    3⤵
    PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:2572
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dsidugeskxsjcsmon.exe
1⤵
PID:1632
- C:\Windows\dsidugeskxsjcsmon.exe
  dsidugeskxsjcsmon.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe
1⤵
PID:3676
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe .
1⤵
PID:2008
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe .
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe .
1⤵
PID:884
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zsmlgwyqmdcxuomsvfnga.exe*."
    3⤵
    PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:2164
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xogdwkkaujgzumimnvb.exe*."
    3⤵
    PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mctphutibpldxojmmt.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mctphutibpldxojmmt.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mctphutibpldxojmmt.exe
1⤵
PID:1160
- C:\Windows\mctphutibpldxojmmt.exe
  mctphutibpldxojmmt.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:5196
- C:\Windows\zsmlgwyqmdcxuomsvfnga.exe
  zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:3292
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xogdwkkaujgzumimnvb.exe .
1⤵
PID:2464
- C:\Windows\xogdwkkaujgzumimnvb.exe
  xogdwkkaujgzumimnvb.exe .
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:4760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  C:\Users\Admin\AppData\Local\Temp\zsmlgwyqmdcxuomsvfnga.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe
1⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe .
1⤵
PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
  C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsidugeskxsjcsmon.exe
1⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe
1⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wkztjurevhbrjyrs.exe .
1⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcvtncdupfdxtmjoqzgy.exe .
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry