pykspa | 3a96625a5ed856e88d45f0ebd21c87b4096c3f2ef3e8fa151b6279f69075e179

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00040000000229c8-4.dat	family_pykspa
behavioral2/files/0x0008000000024263-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxvogyqnhdxtmjoqzfz.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "vlbvkymatjbrjyrs.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ytonhatmkfcxuomsvfmhc.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ctkfvkzoizsjcsmon.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ytonhatmkfcxuomsvfmhc.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxvogyqnhdxtmjoqzfz.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nbphugsevjzndq = "jdxvogyqnhdxtmjoqzfz.exe"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbmbludmaly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sdqaokddcna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ldvriyoezrldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	vlbvkymatjbrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ctkfvkzoizsjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ytonhatmkfcxuomsvfmhc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	jdxvogyqnhdxtmjoqzfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wpifxofwslgzumimnva.exe

Executes dropped EXE 64 IoCs

pid	Process
3280	sdqaokddcna.exe
4644	ctkfvkzoizsjcsmon.exe
6024	ldvriyoezrldxojmmt.exe
5208	sdqaokddcna.exe
4912	vlbvkymatjbrjyrs.exe
5044	wpifxofwslgzumimnva.exe
1992	vlbvkymatjbrjyrs.exe
2700	sdqaokddcna.exe
5956	jdxvogyqnhdxtmjoqzfz.exe
1572	vlbvkymatjbrjyrs.exe
2040	sdqaokddcna.exe
3576	ctkfvkzoizsjcsmon.exe
1320	sdqaokddcna.exe
5804	wdkvbgl.exe
3076	wdkvbgl.exe
1448	ldvriyoezrldxojmmt.exe
4968	wpifxofwslgzumimnva.exe
2264	vlbvkymatjbrjyrs.exe
3212	ldvriyoezrldxojmmt.exe
2664	sdqaokddcna.exe
5132	ctkfvkzoizsjcsmon.exe
6076	ldvriyoezrldxojmmt.exe
1936	sdqaokddcna.exe
4632	sdqaokddcna.exe
4824	wpifxofwslgzumimnva.exe
5284	vlbvkymatjbrjyrs.exe
3908	ldvriyoezrldxojmmt.exe
5032	ytonhatmkfcxuomsvfmhc.exe
2080	ytonhatmkfcxuomsvfmhc.exe
2448	jdxvogyqnhdxtmjoqzfz.exe
5416	sdqaokddcna.exe
5292	sdqaokddcna.exe
5836	ctkfvkzoizsjcsmon.exe
5768	sdqaokddcna.exe
3956	ytonhatmkfcxuomsvfmhc.exe
2380	jdxvogyqnhdxtmjoqzfz.exe
4012	wpifxofwslgzumimnva.exe
2320	ctkfvkzoizsjcsmon.exe
5444	sdqaokddcna.exe
5312	sdqaokddcna.exe
228	ctkfvkzoizsjcsmon.exe
4656	sdqaokddcna.exe
5612	ldvriyoezrldxojmmt.exe
3720	jdxvogyqnhdxtmjoqzfz.exe
5632	jdxvogyqnhdxtmjoqzfz.exe
5188	vlbvkymatjbrjyrs.exe
2264	sdqaokddcna.exe
4072	sdqaokddcna.exe
444	vlbvkymatjbrjyrs.exe
2256	ctkfvkzoizsjcsmon.exe
6068	sdqaokddcna.exe
4824	ctkfvkzoizsjcsmon.exe
4992	wpifxofwslgzumimnva.exe
3484	wpifxofwslgzumimnva.exe
5000	sdqaokddcna.exe
848	jdxvogyqnhdxtmjoqzfz.exe
1700	wpifxofwslgzumimnva.exe
4712	ldvriyoezrldxojmmt.exe
5312	ctkfvkzoizsjcsmon.exe
5884	sdqaokddcna.exe
5028	ytonhatmkfcxuomsvfmhc.exe
548	ctkfvkzoizsjcsmon.exe
4260	ctkfvkzoizsjcsmon.exe
4244	ytonhatmkfcxuomsvfmhc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	wdkvbgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	wdkvbgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	wdkvbgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	wdkvbgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	wdkvbgl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	wdkvbgl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ldvriyoezrldxojmmt.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ctkfvkzoizsjcsmon.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlbvkymatjbrjyrs = "ldvriyoezrldxojmmt.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ctkfvkzoizsjcsmon.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldvriyoezrldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ytonhatmkfcxuomsvfmhc.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldvriyoezrldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlbvkymatjbrjyrs = "ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ytonhatmkfcxuomsvfmhc.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxvogyqnhdxtmjoqzfz.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldvriyoezrldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldvriyoezrldxojmmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlbvkymatjbrjyrs = "wpifxofwslgzumimnva.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "jdxvogyqnhdxtmjoqzfz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbvkymatjbrjyrs.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe ."	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ctkfvkzoizsjcsmon.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "ldvriyoezrldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "vlbvkymatjbrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvriyoezrldxojmmt.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlbvkymatjbrjyrs = "wpifxofwslgzumimnva.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe"	wdkvbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "jdxvogyqnhdxtmjoqzfz.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzmdpalwmzobq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpifxofwslgzumimnva.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytonhatmkfcxuomsvfmhc.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfunbobogvmbsgy = "wpifxofwslgzumimnva.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzlbmwgqfrfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkfvkzoizsjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ctkfvkzoizsjcsmon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxvogyqnhdxtmjoqzfz.exe ."	wdkvbgl.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wdkvbgl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wdkvbgl.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	www.whatismyip.ca
50	whatismyip.everdot.org
25	www.showmyipaddress.com
33	www.whatismyip.ca
35	whatismyip.everdot.org
41	www.whatismyip.ca
42	whatismyip.everdot.org
45	whatismyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	wdkvbgl.exe
File created	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	wdkvbgl.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qfunbobogvmbsgyyvzapexlylyqfwlcqiifjk.ohv	wdkvbgl.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	wdkvbgl.exe
File opened for modification	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	wdkvbgl.exe
File created	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	wdkvbgl.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	wdkvbgl.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File created	C:\Windows\SysWOW64\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ptxfikmovzfjpszoatjnrzcegi.tzd	wdkvbgl.exe
File opened for modification	C:\Program Files (x86)\qfunbobogvmbsgyyvzapexlylyqfwlcqiifjk.ohv	wdkvbgl.exe
File created	C:\Program Files (x86)\qfunbobogvmbsgyyvzapexlylyqfwlcqiifjk.ohv	wdkvbgl.exe
File opened for modification	C:\Program Files (x86)\ptxfikmovzfjpszoatjnrzcegi.tzd	wdkvbgl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File created	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	wdkvbgl.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File created	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File created	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ptxfikmovzfjpszoatjnrzcegi.tzd	wdkvbgl.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	wdkvbgl.exe
File created	C:\Windows\qfunbobogvmbsgyyvzapexlylyqfwlcqiifjk.ohv	wdkvbgl.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File created	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ldvriyoezrldxojmmt.exe	wdkvbgl.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File created	C:\Windows\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File created	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	wdkvbgl.exe
File opened for modification	C:\Windows\vlbvkymatjbrjyrs.exe	wdkvbgl.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe
File created	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\vlbvkymatjbrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ytonhatmkfcxuomsvfmhc.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\jdxvogyqnhdxtmjoqzfz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ctkfvkzoizsjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File created	C:\Windows\wpifxofwslgzumimnva.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\plhhcwqkjfdzxsrycnvrnn.exe	sdqaokddcna.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdkvbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldvriyoezrldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpifxofwslgzumimnva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdxvogyqnhdxtmjoqzfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctkfvkzoizsjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlbvkymatjbrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdqaokddcna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytonhatmkfcxuomsvfmhc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
5804	wdkvbgl.exe
5804	wdkvbgl.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
5804	wdkvbgl.exe
5804	wdkvbgl.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5804	wdkvbgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3280	2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe	88
PID 2172 wrote to memory of 3280	2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe	88
PID 2172 wrote to memory of 3280	2172	JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe	88
PID 4732 wrote to memory of 4644	4732	cmd.exe	93
PID 4732 wrote to memory of 4644	4732	cmd.exe	93
PID 4732 wrote to memory of 4644	4732	cmd.exe	93
PID 4480 wrote to memory of 6024	4480	cmd.exe	96
PID 4480 wrote to memory of 6024	4480	cmd.exe	96
PID 4480 wrote to memory of 6024	4480	cmd.exe	96
PID 6024 wrote to memory of 5208	6024	ldvriyoezrldxojmmt.exe	99
PID 6024 wrote to memory of 5208	6024	ldvriyoezrldxojmmt.exe	99
PID 6024 wrote to memory of 5208	6024	ldvriyoezrldxojmmt.exe	99
PID 2952 wrote to memory of 4912	2952	cmd.exe	102
PID 2952 wrote to memory of 4912	2952	cmd.exe	102
PID 2952 wrote to memory of 4912	2952	cmd.exe	102
PID 4888 wrote to memory of 5044	4888	cmd.exe	105
PID 4888 wrote to memory of 5044	4888	cmd.exe	105
PID 4888 wrote to memory of 5044	4888	cmd.exe	105
PID 4764 wrote to memory of 1992	4764	cmd.exe	108
PID 4764 wrote to memory of 1992	4764	cmd.exe	108
PID 4764 wrote to memory of 1992	4764	cmd.exe	108
PID 5044 wrote to memory of 2700	5044	wpifxofwslgzumimnva.exe	109
PID 5044 wrote to memory of 2700	5044	wpifxofwslgzumimnva.exe	109
PID 5044 wrote to memory of 2700	5044	wpifxofwslgzumimnva.exe	109
PID 4320 wrote to memory of 5956	4320	cmd.exe	111
PID 4320 wrote to memory of 5956	4320	cmd.exe	111
PID 4320 wrote to memory of 5956	4320	cmd.exe	111
PID 5836 wrote to memory of 1572	5836	cmd.exe	116
PID 5836 wrote to memory of 1572	5836	cmd.exe	116
PID 5836 wrote to memory of 1572	5836	cmd.exe	116
PID 5956 wrote to memory of 2040	5956	jdxvogyqnhdxtmjoqzfz.exe	117
PID 5956 wrote to memory of 2040	5956	jdxvogyqnhdxtmjoqzfz.exe	117
PID 5956 wrote to memory of 2040	5956	jdxvogyqnhdxtmjoqzfz.exe	117
PID 876 wrote to memory of 3576	876	cmd.exe	180
PID 876 wrote to memory of 3576	876	cmd.exe	180
PID 876 wrote to memory of 3576	876	cmd.exe	180
PID 3576 wrote to memory of 1320	3576	ctkfvkzoizsjcsmon.exe	120
PID 3576 wrote to memory of 1320	3576	ctkfvkzoizsjcsmon.exe	120
PID 3576 wrote to memory of 1320	3576	ctkfvkzoizsjcsmon.exe	120
PID 3280 wrote to memory of 5804	3280	sdqaokddcna.exe	121
PID 3280 wrote to memory of 5804	3280	sdqaokddcna.exe	121
PID 3280 wrote to memory of 5804	3280	sdqaokddcna.exe	121
PID 3280 wrote to memory of 3076	3280	sdqaokddcna.exe	122
PID 3280 wrote to memory of 3076	3280	sdqaokddcna.exe	122
PID 3280 wrote to memory of 3076	3280	sdqaokddcna.exe	122
PID 5376 wrote to memory of 1448	5376	cmd.exe	127
PID 5376 wrote to memory of 1448	5376	cmd.exe	127
PID 5376 wrote to memory of 1448	5376	cmd.exe	127
PID 5380 wrote to memory of 4968	5380	cmd.exe	313
PID 5380 wrote to memory of 4968	5380	cmd.exe	313
PID 5380 wrote to memory of 4968	5380	cmd.exe	313
PID 2516 wrote to memory of 2264	2516	cmd.exe	199
PID 2516 wrote to memory of 2264	2516	cmd.exe	199
PID 2516 wrote to memory of 2264	2516	cmd.exe	199
PID 3256 wrote to memory of 3212	3256	cmd.exe	347
PID 3256 wrote to memory of 3212	3256	cmd.exe	347
PID 3256 wrote to memory of 3212	3256	cmd.exe	347
PID 2264 wrote to memory of 2664	2264	vlbvkymatjbrjyrs.exe	137
PID 2264 wrote to memory of 2664	2264	vlbvkymatjbrjyrs.exe	137
PID 2264 wrote to memory of 2664	2264	vlbvkymatjbrjyrs.exe	137
PID 5852 wrote to memory of 6076	5852	cmd.exe	147
PID 5852 wrote to memory of 6076	5852	cmd.exe	147
PID 5852 wrote to memory of 6076	5852	cmd.exe	147
PID 1860 wrote to memory of 5132	1860	cmd.exe	146

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wdkvbgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wdkvbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92a234749af196d45a4eb656aceb4994.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
  "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_92a234749af196d45a4eb656aceb4994.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\wdkvbgl.exe
    "C:\Users\Admin\AppData\Local\Temp\wdkvbgl.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5804
- - C:\Users\Admin\AppData\Local\Temp\wdkvbgl.exe
    "C:\Users\Admin\AppData\Local\Temp\wdkvbgl.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    - Executes dropped EXE
    PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    - Executes dropped EXE
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5836
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5376
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5380
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  - Executes dropped EXE
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    - Executes dropped EXE
    PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5852
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2324
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4944
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  - Executes dropped EXE
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    - Executes dropped EXE
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:1124
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4300
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3576
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:6124
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:940
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    - Executes dropped EXE
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:936
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  - Executes dropped EXE
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    - Executes dropped EXE
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:2892
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5412
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    - Executes dropped EXE
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:5984
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5284
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  - Executes dropped EXE
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:5024
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:4764
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  - Executes dropped EXE
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4396
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1516
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:5040
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  - Executes dropped EXE
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5104
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:408
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:1276
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:2820
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:508
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:2248
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:5216
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:2324
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4064
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:5812
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:3760
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:4420
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4604
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:620
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4332
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:5552
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:4888
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:1104
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5884
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:5612
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:4540
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:3032
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:2868
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:2488
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:6112
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3956
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:3340
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:508
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:4772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:2832
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:844
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:3172
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:5160
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:920
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:888
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6064
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:5380
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:1940
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5612
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:4272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4960
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5056
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:3504
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:3732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3460
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4492
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4656
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:2448
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4400
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:5976
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3496
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4108
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:5424
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4428
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4348
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:3988
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1712
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:2452
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1388
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4032
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2120
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:5240
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:5424
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:5032

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4952
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:384
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:1120
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2028
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4856
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:3956
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4048
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:4412
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1296
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2316
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:4440
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:936
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:4716
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4300
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:620
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:3292
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:2900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2892
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:724
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:2596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2604
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  - Checks computer location settings
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:3060
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:4672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5784
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5192
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4132
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:1968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5976
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:3220
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5264
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:5688
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:2452
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:5128
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1260

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:2516
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:2404
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1416

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:4736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5664
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:1660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2336
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:5360
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:5488
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4928
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:3588
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:3788
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:4064
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2512
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5980
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:4904
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:4508
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:5424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3164
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4484
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3960
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:2036
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4824
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:2452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5416
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5380
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:2932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:724
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:2860
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:2596
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:3504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2664
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:1460
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:2964
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:424
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:2100
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5924
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5524
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:1540
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:6064
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:2448
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2176
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5412
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4256
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:3576
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5424
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4724
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:5376
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:4604
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4300
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:3424
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:1080
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:1928
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:4968
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:4044
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:4168
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:2816
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3968
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:2396
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:4584
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4592
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:2228
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:3240
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:4072
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:4636
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:4456
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:2076
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:336
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:2156
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5028
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:5292
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:4132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5192
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5444
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:3500
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:5548
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:1076
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:2528
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5248
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:5708
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:5308
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1968
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe
1⤵
PID:2220
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1280
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:3332
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:4580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:424
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:1516
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:6120
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:3596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:2452
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:2544
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:1844
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:1720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3236
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:5840
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:892
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:4348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:2532
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:368
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:2288
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:5636
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:5360
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4724
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe
1⤵
PID:4412
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:5484
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:1764
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpifxofwslgzumimnva.exe .
1⤵
PID:1920
- C:\Windows\wpifxofwslgzumimnva.exe
  wpifxofwslgzumimnva.exe .
  2⤵
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wpifxofwslgzumimnva.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:1080
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:4956
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe
1⤵
PID:3348
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ldvriyoezrldxojmmt.exe .
1⤵
PID:4980
- C:\Windows\ldvriyoezrldxojmmt.exe
  ldvriyoezrldxojmmt.exe .
  2⤵
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ldvriyoezrldxojmmt.exe*."
    3⤵
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:3576
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:5412
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:4732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4256
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:2904
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  2⤵
  PID:904

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe
  C:\Users\Admin\AppData\Local\Temp\jdxvogyqnhdxtmjoqzfz.exe .
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jdxvogyqnhdxtmjoqzfz.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe
1⤵
PID:3628
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:1320
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctkfvkzoizsjcsmon.exe .
1⤵
PID:1264
- C:\Windows\ctkfvkzoizsjcsmon.exe
  ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vlbvkymatjbrjyrs.exe .
1⤵
PID:3948
- C:\Windows\vlbvkymatjbrjyrs.exe
  vlbvkymatjbrjyrs.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5232
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
1⤵
PID:5852
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctkfvkzoizsjcsmon.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ctkfvkzoizsjcsmon.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\vlbvkymatjbrjyrs.exe .
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\vlbvkymatjbrjyrs.exe*."
    3⤵
    PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdxvogyqnhdxtmjoqzfz.exe
1⤵
PID:5548
- C:\Windows\jdxvogyqnhdxtmjoqzfz.exe
  jdxvogyqnhdxtmjoqzfz.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ytonhatmkfcxuomsvfmhc.exe .
1⤵
PID:5984
- C:\Windows\ytonhatmkfcxuomsvfmhc.exe
  ytonhatmkfcxuomsvfmhc.exe .
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ytonhatmkfcxuomsvfmhc.exe*."
    3⤵
    PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  C:\Users\Admin\AppData\Local\Temp\ytonhatmkfcxuomsvfmhc.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\ldvriyoezrldxojmmt.exe .
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
1⤵
PID:1712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpifxofwslgzumimnva.exe .
1⤵
PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry