pykspa | 43052236052cd013b93a57abd4dac9fc4a5cdaa0eb0a23f2c5d48e105fd12071

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xhlmu.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 26 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00040000000229c8-4.dat	family_pykspa
behavioral2/files/0x0007000000024260-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "upeqjarbvldslmkp.exe"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "khymhatfbtnezccjmj.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "bxnaumepkbukegfln.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "vtlawqkxuniawabjnld.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdowlylrhths = "vtlawqkxuniawabjnld.exe"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpxcoyily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sdqaokddcna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	khymhatfbtnezccjmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vtlawqkxuniawabjnld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upeqjarbvldslmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	bxnaumepkbukegfln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ihaqnidrpjfyvaclqpiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xxrigcynmheywcfpvvpge.exe

Executes dropped EXE 64 IoCs

pid	Process
3876	sdqaokddcna.exe
4724	bxnaumepkbukegfln.exe
4736	bxnaumepkbukegfln.exe
5216	sdqaokddcna.exe
5224	xxrigcynmheywcfpvvpge.exe
4852	bxnaumepkbukegfln.exe
4492	xxrigcynmheywcfpvvpge.exe
5420	sdqaokddcna.exe
1536	ihaqnidrpjfyvaclqpiy.exe
3320	sdqaokddcna.exe
5504	upeqjarbvldslmkp.exe
2448	xxrigcynmheywcfpvvpge.exe
608	sdqaokddcna.exe
1416	xhlmu.exe
5816	xhlmu.exe
5376	upeqjarbvldslmkp.exe
4540	ihaqnidrpjfyvaclqpiy.exe
2028	khymhatfbtnezccjmj.exe
3304	ihaqnidrpjfyvaclqpiy.exe
2900	sdqaokddcna.exe
5736	bxnaumepkbukegfln.exe
2396	sdqaokddcna.exe
4856	xxrigcynmheywcfpvvpge.exe
4992	upeqjarbvldslmkp.exe
4984	ihaqnidrpjfyvaclqpiy.exe
4980	ihaqnidrpjfyvaclqpiy.exe
5044	bxnaumepkbukegfln.exe
5420	bxnaumepkbukegfln.exe
2300	xxrigcynmheywcfpvvpge.exe
4956	sdqaokddcna.exe
4168	xxrigcynmheywcfpvvpge.exe
5900	sdqaokddcna.exe
876	sdqaokddcna.exe
2960	xxrigcynmheywcfpvvpge.exe
2736	khymhatfbtnezccjmj.exe
1796	upeqjarbvldslmkp.exe
532	sdqaokddcna.exe
5804	upeqjarbvldslmkp.exe
3076	upeqjarbvldslmkp.exe
2652	sdqaokddcna.exe
6128	bxnaumepkbukegfln.exe
2312	sdqaokddcna.exe
5056	sdqaokddcna.exe
2512	bxnaumepkbukegfln.exe
3560	xxrigcynmheywcfpvvpge.exe
1148	bxnaumepkbukegfln.exe
888	sdqaokddcna.exe
5524	xxrigcynmheywcfpvvpge.exe
3064	sdqaokddcna.exe
4892	vtlawqkxuniawabjnld.exe
2520	sdqaokddcna.exe
4608	ihaqnidrpjfyvaclqpiy.exe
4708	ihaqnidrpjfyvaclqpiy.exe
5208	sdqaokddcna.exe
6012	vtlawqkxuniawabjnld.exe
1852	ihaqnidrpjfyvaclqpiy.exe
1516	sdqaokddcna.exe
6088	xxrigcynmheywcfpvvpge.exe
5504	khymhatfbtnezccjmj.exe
4984	khymhatfbtnezccjmj.exe
920	ihaqnidrpjfyvaclqpiy.exe
3728	upeqjarbvldslmkp.exe
1836	sdqaokddcna.exe
2220	sdqaokddcna.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	xhlmu.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	xhlmu.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	xhlmu.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	xhlmu.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	xhlmu.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	xhlmu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "upeqjarbvldslmkp.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "bxnaumepkbukegfln.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "khymhatfbtnezccjmj.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "khymhatfbtnezccjmj.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "bxnaumepkbukegfln.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "khymhatfbtnezccjmj.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "ihaqnidrpjfyvaclqpiy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "vtlawqkxuniawabjnld.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "xxrigcynmheywcfpvvpge.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "vtlawqkxuniawabjnld.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "upeqjarbvldslmkp.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "ihaqnidrpjfyvaclqpiy.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "ihaqnidrpjfyvaclqpiy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe"	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqnidrpjfyvaclqpiy.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "ihaqnidrpjfyvaclqpiy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "upeqjarbvldslmkp.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "ihaqnidrpjfyvaclqpiy.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "khymhatfbtnezccjmj.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "upeqjarbvldslmkp.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjxiaqgpixocuur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeqjarbvldslmkp.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "ihaqnidrpjfyvaclqpiy.exe"	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "bxnaumepkbukegfln.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khymhatfbtnezccjmj.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "ihaqnidrpjfyvaclqpiy.exe ."	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "upeqjarbvldslmkp.exe"	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "xxrigcynmheywcfpvvpge.exe"	xhlmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfsctixfxlbofe = "xxrigcynmheywcfpvvpge.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrigcynmheywcfpvvpge.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxnaumepkbukegfln.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upeqjarbvldslmkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlawqkxuniawabjnld.exe"	xhlmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfpwkwincna = "upeqjarbvldslmkp.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujsylwhlzj = "vtlawqkxuniawabjnld.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpyocqxobqcs = "ihaqnidrpjfyvaclqpiy.exe"	sdqaokddcna.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xhlmu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xhlmu.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	www.whatismyip.ca
31	www.showmyipaddress.com
34	whatismyipaddress.com
38	whatismyip.everdot.org
52	www.whatismyip.ca
62	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\pfpwkwincnakyunnjzjqeqchwhuesohhd.dky	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\pfpwkwincnakyunnjzjqeqchwhuesohhd.dky	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xxrigcynmheywcfpvvpge.exe	xhlmu.exe
File opened for modification	C:\Windows\SysWOW64\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\bxnaumepkbukegfln.exe	sdqaokddcna.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ydcybcdxbbdcfqynydcybc.xbb	xhlmu.exe
File created	C:\Program Files (x86)\ydcybcdxbbdcfqynydcybc.xbb	xhlmu.exe
File opened for modification	C:\Program Files (x86)\pfpwkwincnakyunnjzjqeqchwhuesohhd.dky	xhlmu.exe
File created	C:\Program Files (x86)\pfpwkwincnakyunnjzjqeqchwhuesohhd.dky	xhlmu.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	xhlmu.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	xhlmu.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	xhlmu.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	xhlmu.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	xhlmu.exe
File created	C:\Windows\pfpwkwincnakyunnjzjqeqchwhuesohhd.dky	xhlmu.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	xhlmu.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	xhlmu.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	xhlmu.exe
File opened for modification	C:\Windows\ydcybcdxbbdcfqynydcybc.xbb	xhlmu.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\upeqjarbvldslmkp.exe	xhlmu.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\khymhatfbtnezccjmj.exe	sdqaokddcna.exe
File created	C:\Windows\ydcybcdxbbdcfqynydcybc.xbb	xhlmu.exe
File opened for modification	C:\Windows\bxnaumepkbukegfln.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ihaqnidrpjfyvaclqpiy.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\opkcbyvllhfazgkvcdyqpm.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vtlawqkxuniawabjnld.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xxrigcynmheywcfpvvpge.exe	sdqaokddcna.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khymhatfbtnezccjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdqaokddcna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xhlmu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khymhatfbtnezccjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khymhatfbtnezccjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khymhatfbtnezccjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upeqjarbvldslmkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxnaumepkbukegfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xhlmu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtlawqkxuniawabjnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihaqnidrpjfyvaclqpiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrigcynmheywcfpvvpge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khymhatfbtnezccjmj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
5816	xhlmu.exe
5816	xhlmu.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5816	xhlmu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3876	4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe	88
PID 4164 wrote to memory of 3876	4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe	88
PID 4164 wrote to memory of 3876	4164	JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe	88
PID 4556 wrote to memory of 4724	4556	cmd.exe	91
PID 4556 wrote to memory of 4724	4556	cmd.exe	91
PID 4556 wrote to memory of 4724	4556	cmd.exe	91
PID 4688 wrote to memory of 4736	4688	cmd.exe	94
PID 4688 wrote to memory of 4736	4688	cmd.exe	94
PID 4688 wrote to memory of 4736	4688	cmd.exe	94
PID 4736 wrote to memory of 5216	4736	bxnaumepkbukegfln.exe	97
PID 4736 wrote to memory of 5216	4736	bxnaumepkbukegfln.exe	97
PID 4736 wrote to memory of 5216	4736	bxnaumepkbukegfln.exe	97
PID 904 wrote to memory of 5224	904	cmd.exe	100
PID 904 wrote to memory of 5224	904	cmd.exe	100
PID 904 wrote to memory of 5224	904	cmd.exe	100
PID 1032 wrote to memory of 4852	1032	cmd.exe	103
PID 1032 wrote to memory of 4852	1032	cmd.exe	103
PID 1032 wrote to memory of 4852	1032	cmd.exe	103
PID 4612 wrote to memory of 4492	4612	cmd.exe	106
PID 4612 wrote to memory of 4492	4612	cmd.exe	106
PID 4612 wrote to memory of 4492	4612	cmd.exe	106
PID 4852 wrote to memory of 5420	4852	bxnaumepkbukegfln.exe	167
PID 4852 wrote to memory of 5420	4852	bxnaumepkbukegfln.exe	167
PID 4852 wrote to memory of 5420	4852	bxnaumepkbukegfln.exe	167
PID 4764 wrote to memory of 1536	4764	cmd.exe	108
PID 4764 wrote to memory of 1536	4764	cmd.exe	108
PID 4764 wrote to memory of 1536	4764	cmd.exe	108
PID 1536 wrote to memory of 3320	1536	ihaqnidrpjfyvaclqpiy.exe	112
PID 1536 wrote to memory of 3320	1536	ihaqnidrpjfyvaclqpiy.exe	112
PID 1536 wrote to memory of 3320	1536	ihaqnidrpjfyvaclqpiy.exe	112
PID 2228 wrote to memory of 5504	2228	cmd.exe	232
PID 2228 wrote to memory of 5504	2228	cmd.exe	232
PID 2228 wrote to memory of 5504	2228	cmd.exe	232
PID 5768 wrote to memory of 2448	5768	cmd.exe	178
PID 5768 wrote to memory of 2448	5768	cmd.exe	178
PID 5768 wrote to memory of 2448	5768	cmd.exe	178
PID 2448 wrote to memory of 608	2448	xxrigcynmheywcfpvvpge.exe	116
PID 2448 wrote to memory of 608	2448	xxrigcynmheywcfpvvpge.exe	116
PID 2448 wrote to memory of 608	2448	xxrigcynmheywcfpvvpge.exe	116
PID 3876 wrote to memory of 1416	3876	sdqaokddcna.exe	119
PID 3876 wrote to memory of 1416	3876	sdqaokddcna.exe	119
PID 3876 wrote to memory of 1416	3876	sdqaokddcna.exe	119
PID 3876 wrote to memory of 5816	3876	sdqaokddcna.exe	120
PID 3876 wrote to memory of 5816	3876	sdqaokddcna.exe	120
PID 3876 wrote to memory of 5816	3876	sdqaokddcna.exe	120
PID 5784 wrote to memory of 5376	5784	cmd.exe	126
PID 5784 wrote to memory of 5376	5784	cmd.exe	126
PID 5784 wrote to memory of 5376	5784	cmd.exe	126
PID 5528 wrote to memory of 4540	5528	cmd.exe	278
PID 5528 wrote to memory of 4540	5528	cmd.exe	278
PID 5528 wrote to memory of 4540	5528	cmd.exe	278
PID 2520 wrote to memory of 2028	2520	cmd.exe	133
PID 2520 wrote to memory of 2028	2520	cmd.exe	133
PID 2520 wrote to memory of 2028	2520	cmd.exe	133
PID 5260 wrote to memory of 3304	5260	cmd.exe	140
PID 5260 wrote to memory of 3304	5260	cmd.exe	140
PID 5260 wrote to memory of 3304	5260	cmd.exe	140
PID 2028 wrote to memory of 2900	2028	khymhatfbtnezccjmj.exe	145
PID 2028 wrote to memory of 2900	2028	khymhatfbtnezccjmj.exe	145
PID 2028 wrote to memory of 2900	2028	khymhatfbtnezccjmj.exe	145
PID 3348 wrote to memory of 5736	3348	cmd.exe	153
PID 3348 wrote to memory of 5736	3348	cmd.exe	153
PID 3348 wrote to memory of 5736	3348	cmd.exe	153
PID 3304 wrote to memory of 2396	3304	ihaqnidrpjfyvaclqpiy.exe	290

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xhlmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xhlmu.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f7640d6457aa4b9577933e5f8d6810d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
  "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8f7640d6457aa4b9577933e5f8d6810d.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\xhlmu.exe
    "C:\Users\Admin\AppData\Local\Temp\xhlmu.exe" "-C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\xhlmu.exe
    "C:\Users\Admin\AppData\Local\Temp\xhlmu.exe" "-C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    - Executes dropped EXE
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  - Executes dropped EXE
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    - Executes dropped EXE
    PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  - Executes dropped EXE
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5768
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Executes dropped EXE
    PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5784
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  - Executes dropped EXE
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5528
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5260
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:6032
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Executes dropped EXE
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:1920
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:3424
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:368
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Executes dropped EXE
    PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  - Executes dropped EXE
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Executes dropped EXE
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  - Executes dropped EXE
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    - Executes dropped EXE
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:1360
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:5036
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    - Executes dropped EXE
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:2448
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:1600
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    - Executes dropped EXE
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  - Executes dropped EXE
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:2308
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  - Executes dropped EXE
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    - Executes dropped EXE
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:1660
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4600
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:3060
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4492
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:1260
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  - Executes dropped EXE
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    - Executes dropped EXE
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4856
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  - Executes dropped EXE
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5212
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1404
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5400
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:2736
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:628
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:1720
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:5716
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:1496
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:1892
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:4576
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:3760
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5540
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5900
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5704
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:5588
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:5180
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5768
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5832
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2076
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2716
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:6064
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:1580
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5516
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:1392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:5148
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:4928
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:1040
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:4732
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:2964
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3952
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:4916
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:2904
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4112
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:424
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5568
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4900
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:4744
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:3676
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:1496
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:1928
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:4532
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5288
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5224
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5068
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:216
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:3968
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2772
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:4412
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:1088
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5620
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5424
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5832
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:2596
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:3484
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:2552
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:1516
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5348
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2464
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:3332
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:5268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:2144
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2924
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5260
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2568
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:888
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:1356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5716
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:5812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5524
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:244
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5072
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:4156
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1168
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:4860
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:1632
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  - Checks computer location settings
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5040
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:4484
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  - Checks computer location settings
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:4832
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:976
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:652
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:724
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2308
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:2432

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:4436
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:4776
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:3984
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:3676
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5788
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:2080
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5188
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:460
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:2864
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:760
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:6112
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:3928
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:5704
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:4168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:976
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:1520
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1040
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4856
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:3972
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6076
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:4124
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:3076
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:5688
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2380
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4320
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:1744
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4152
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:4916
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1800
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:5584
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5852
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:4904
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5448
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5080
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:4256
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:2056
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:3928
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:1296
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:5224
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5336
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:5840
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3252
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:5256
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2860
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:2520
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:3444
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:3392
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1700
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:3984
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:1632
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:6092
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:4040
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:2316
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:568
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4400
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:4916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5480
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:532
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:920
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:5836
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:552
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\uequwjq.exe
      "C:\Users\Admin\AppData\Local\Temp\uequwjq.exe" "-C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe"
      4⤵
      PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1940
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\upeqjarbvldslmkp.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2324
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:4660
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wuumcdytjhcztrxakpnnf.exe
1⤵
PID:6104
- C:\Windows\wuumcdytjhcztrxakpnnf.exe
  wuumcdytjhcztrxakpnnf.exe
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2028
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:4176
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auqeqnevhbslbvxwc.exe .
1⤵
PID:1080
- C:\Windows\auqeqnevhbslbvxwc.exe
  auqeqnevhbslbvxwc.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\auqeqnevhbslbvxwc.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uqoesrkdrngbtptucfb.exe
1⤵
PID:3768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1252
- C:\Windows\uqoesrkdrngbtptucfb.exe
  uqoesrkdrngbtptucfb.exe
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jebqdbtlytlfwruubd.exe .
1⤵
PID:2436
- C:\Windows\jebqdbtlytlfwruubd.exe
  jebqdbtlytlfwruubd.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jebqdbtlytlfwruubd.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wuumcdytjhcztrxakpnnf.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\wuumcdytjhcztrxakpnnf.exe
  C:\Users\Admin\AppData\Local\Temp\wuumcdytjhcztrxakpnnf.exe
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\tmhufbrhslbtibca.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1756
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
  C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\tmhufbrhslbtibca.exe*."
    3⤵
    PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:2228
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:5840
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3724
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:4012
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4320
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:3712
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4132
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:1660
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:4804
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:4560
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1916
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auqeqnevhbslbvxwc.exe
1⤵
PID:5928
- C:\Windows\auqeqnevhbslbvxwc.exe
  auqeqnevhbslbvxwc.exe
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hedujjdxmjdzspuwfjgf.exe .
1⤵
PID:5392
- C:\Windows\hedujjdxmjdzspuwfjgf.exe
  hedujjdxmjdzspuwfjgf.exe .
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\hedujjdxmjdzspuwfjgf.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmhufbrhslbtibca.exe
1⤵
PID:3236
- C:\Windows\tmhufbrhslbtibca.exe
  tmhufbrhslbtibca.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auqeqnevhbslbvxwc.exe .
1⤵
PID:2152
- C:\Windows\auqeqnevhbslbvxwc.exe
  auqeqnevhbslbvxwc.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\auqeqnevhbslbvxwc.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jebqdbtlytlfwruubd.exe
1⤵
PID:4048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5236
- C:\Users\Admin\AppData\Local\Temp\jebqdbtlytlfwruubd.exe
  C:\Users\Admin\AppData\Local\Temp\jebqdbtlytlfwruubd.exe
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe
  C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe .
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\hedujjdxmjdzspuwfjgf.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
1⤵
PID:6080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe .
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe
  C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe .
  2⤵
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\hedujjdxmjdzspuwfjgf.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:3572
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3780
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:2060
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:4848
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:5260
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:2968
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe
1⤵
PID:976
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:888
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:1868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4976
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:4600
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:3604
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:3852
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5884
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:2712
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:6064
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:3888
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:5152
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:5104
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
1⤵
PID:4836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:1536
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:2384
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:1940
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:5584
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5688
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khymhatfbtnezccjmj.exe .
1⤵
PID:6112
- C:\Windows\khymhatfbtnezccjmj.exe
  khymhatfbtnezccjmj.exe .
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe
  C:\Users\Admin\AppData\Local\Temp\xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:3612
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:4704
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:2568
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe
1⤵
PID:724
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:5612
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe
1⤵
PID:3348
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:5368
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:1224
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bxnaumepkbukegfln.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:3008
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4804
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3260
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:4036
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeqjarbvldslmkp.exe .
1⤵
PID:5660
- C:\Windows\upeqjarbvldslmkp.exe
  upeqjarbvldslmkp.exe .
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\upeqjarbvldslmkp.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe
  C:\Users\Admin\AppData\Local\Temp\khymhatfbtnezccjmj.exe .
  2⤵
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\khymhatfbtnezccjmj.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hedujjdxmjdzspuwfjgf.exe
1⤵
PID:4920
- C:\Windows\hedujjdxmjdzspuwfjgf.exe
  hedujjdxmjdzspuwfjgf.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hedujjdxmjdzspuwfjgf.exe .
1⤵
PID:5572
- C:\Windows\hedujjdxmjdzspuwfjgf.exe
  hedujjdxmjdzspuwfjgf.exe .
  2⤵
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\hedujjdxmjdzspuwfjgf.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hedujjdxmjdzspuwfjgf.exe
1⤵
PID:4560
- C:\Windows\hedujjdxmjdzspuwfjgf.exe
  hedujjdxmjdzspuwfjgf.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2488
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c auqeqnevhbslbvxwc.exe .
1⤵
PID:1264
- C:\Windows\auqeqnevhbslbvxwc.exe
  auqeqnevhbslbvxwc.exe .
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\auqeqnevhbslbvxwc.exe*."
    3⤵
    PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe
  C:\Users\Admin\AppData\Local\Temp\hedujjdxmjdzspuwfjgf.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe .
1⤵
PID:5528
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe .
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bxnaumepkbukegfln.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
1⤵
PID:3688
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\tmhufbrhslbtibca.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe
1⤵
PID:5644
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrigcynmheywcfpvvpge.exe .
1⤵
PID:752
- C:\Windows\xxrigcynmheywcfpvvpge.exe
  xxrigcynmheywcfpvvpge.exe .
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xxrigcynmheywcfpvvpge.exe*."
    3⤵
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
  C:\Users\Admin\AppData\Local\Temp\uqoesrkdrngbtptucfb.exe
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe
  C:\Users\Admin\AppData\Local\Temp\tmhufbrhslbtibca.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\tmhufbrhslbtibca.exe*."
    3⤵
    PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  C:\Users\Admin\AppData\Local\Temp\bxnaumepkbukegfln.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe
  C:\Users\Admin\AppData\Local\Temp\vtlawqkxuniawabjnld.exe .
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxnaumepkbukegfln.exe
1⤵
PID:5516
- C:\Windows\bxnaumepkbukegfln.exe
  bxnaumepkbukegfln.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe .
1⤵
PID:4916
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ihaqnidrpjfyvaclqpiy.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:2820
- C:\Windows\ihaqnidrpjfyvaclqpiy.exe
  ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlawqkxuniawabjnld.exe .
1⤵
PID:4112
- C:\Windows\vtlawqkxuniawabjnld.exe
  vtlawqkxuniawabjnld.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vtlawqkxuniawabjnld.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  C:\Users\Admin\AppData\Local\Temp\ihaqnidrpjfyvaclqpiy.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeqjarbvldslmkp.exe .
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry