pykspa | 57c1e030441de1e230a0b4eccf9283b469684ebfa6835230435abfb26c94de74

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 28 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000a0000000227cb-4.dat	family_pykspa
behavioral2/files/0x000900000002429f-85.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "htpdyjeuizviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htpdyjeuizviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdaplxtkzroctbsthh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdaplxtkzroctbsthh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "algtnxrgtjeqflaz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "dttlkzyskffwqbvzqtrhh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "bpndankcsljyqzrtijf.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htpdyjeuizviyfvvi.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htpdyjeuizviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "odctrfdwnhgwpzsvlnkz.exe"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "htpdyjeuizviyfvvi.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbrzotisalb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbufxfxkvjcmzd = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
52	2756	Process not Found
71	2756	Process not Found
74	2756	Process not Found
78	2756	Process not Found
80	2756	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	vcmnxryrfmw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	htpdyjeuizviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	dttlkzyskffwqbvzqtrhh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	algtnxrgtjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qdaplxtkzroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	odctrfdwnhgwpzsvlnkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bpndankcsljyqzrtijf.exe

Executes dropped EXE 64 IoCs

pid	Process
1960	vcmnxryrfmw.exe
5132	dttlkzyskffwqbvzqtrhh.exe
1940	dttlkzyskffwqbvzqtrhh.exe
5144	vcmnxryrfmw.exe
632	dttlkzyskffwqbvzqtrhh.exe
3940	bpndankcsljyqzrtijf.exe
4904	bpndankcsljyqzrtijf.exe
5604	vcmnxryrfmw.exe
5136	dttlkzyskffwqbvzqtrhh.exe
408	vcmnxryrfmw.exe
5644	odctrfdwnhgwpzsvlnkz.exe
1864	qdaplxtkzroctbsthh.exe
2096	vcmnxryrfmw.exe
6124	ddnpy.exe
668	ddnpy.exe
880	algtnxrgtjeqflaz.exe
4216	algtnxrgtjeqflaz.exe
5716	htpdyjeuizviyfvvi.exe
4072	htpdyjeuizviyfvvi.exe
5512	vcmnxryrfmw.exe
5380	dttlkzyskffwqbvzqtrhh.exe
448	vcmnxryrfmw.exe
4680	bpndankcsljyqzrtijf.exe
1500	algtnxrgtjeqflaz.exe
4736	htpdyjeuizviyfvvi.exe
4812	vcmnxryrfmw.exe
4752	algtnxrgtjeqflaz.exe
4880	qdaplxtkzroctbsthh.exe
1396	qdaplxtkzroctbsthh.exe
5056	odctrfdwnhgwpzsvlnkz.exe
1420	vcmnxryrfmw.exe
5136	vcmnxryrfmw.exe
4448	algtnxrgtjeqflaz.exe
5676	vcmnxryrfmw.exe
5592	algtnxrgtjeqflaz.exe
5792	bpndankcsljyqzrtijf.exe
3704	algtnxrgtjeqflaz.exe
3256	bpndankcsljyqzrtijf.exe
6056	vcmnxryrfmw.exe
5952	vcmnxryrfmw.exe
4428	qdaplxtkzroctbsthh.exe
6040	vcmnxryrfmw.exe
1000	dttlkzyskffwqbvzqtrhh.exe
4900	bpndankcsljyqzrtijf.exe
2500	bpndankcsljyqzrtijf.exe
3752	vcmnxryrfmw.exe
3336	htpdyjeuizviyfvvi.exe
3564	vcmnxryrfmw.exe
5380	qdaplxtkzroctbsthh.exe
3792	odctrfdwnhgwpzsvlnkz.exe
5416	vcmnxryrfmw.exe
5424	bpndankcsljyqzrtijf.exe
4832	dttlkzyskffwqbvzqtrhh.exe
4460	odctrfdwnhgwpzsvlnkz.exe
4516	vcmnxryrfmw.exe
1404	htpdyjeuizviyfvvi.exe
5256	dttlkzyskffwqbvzqtrhh.exe
4676	htpdyjeuizviyfvvi.exe
1852	bpndankcsljyqzrtijf.exe
3480	algtnxrgtjeqflaz.exe
1924	dttlkzyskffwqbvzqtrhh.exe
2124	vcmnxryrfmw.exe
6140	vcmnxryrfmw.exe
2964	algtnxrgtjeqflaz.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ddnpy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ddnpy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ddnpy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ddnpy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ddnpy.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ddnpy.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "htpdyjeuizviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdaplxtkzroctbsthh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "dttlkzyskffwqbvzqtrhh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "bpndankcsljyqzrtijf.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "qdaplxtkzroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "odctrfdwnhgwpzsvlnkz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "htpdyjeuizviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "htpdyjeuizviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htpdyjeuizviyfvvi.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "htpdyjeuizviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdaplxtkzroctbsthh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "qdaplxtkzroctbsthh.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "qdaplxtkzroctbsthh.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpndankcsljyqzrtijf.exe"	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "dttlkzyskffwqbvzqtrhh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdaplxtkzroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "dttlkzyskffwqbvzqtrhh.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdaplxtkzroctbsthh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "htpdyjeuizviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdaplxtkzroctbsthh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "bpndankcsljyqzrtijf.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "bpndankcsljyqzrtijf.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "odctrfdwnhgwpzsvlnkz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "algtnxrgtjeqflaz.exe"	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "qdaplxtkzroctbsthh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdaplxtkzroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\algtnxrgtjeqflaz = "odctrfdwnhgwpzsvlnkz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\htpdyjeuizviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dttlkzyskffwqbvzqtrhh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdaplxtkzroctbsthh.exe"	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szqzpvlwfriq = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\algtnxrgtjeqflaz.exe ."	ddnpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfzlengugvpaoth = "dttlkzyskffwqbvzqtrhh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzrbszqcmzram = "algtnxrgtjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdaplxtkzroctbsthh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odctrfdwnhgwpzsvlnkz.exe"	vcmnxryrfmw.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddnpy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ddnpy.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	www.whatismyip.ca
23	www.showmyipaddress.com
31	www.whatismyip.ca
36	whatismyipaddress.com
39	whatismyip.everdot.org
41	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\qdaplxtkzroctbsthh.exe	ddnpy.exe
File created	C:\Windows\SysWOW64\nlttaxeggjrqslnzyjpnvvczg.ilt	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File created	C:\Windows\SysWOW64\sbufxfxkvjcmzdqnxtktmxpxpcnbuervifpl.lep	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\ulmffvvqjfgytfafxbarsl.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\algtnxrgtjeqflaz.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	ddnpy.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nlttaxeggjrqslnzyjpnvvczg.ilt	ddnpy.exe
File created	C:\Program Files (x86)\nlttaxeggjrqslnzyjpnvvczg.ilt	ddnpy.exe
File opened for modification	C:\Program Files (x86)\sbufxfxkvjcmzdqnxtktmxpxpcnbuervifpl.lep	ddnpy.exe
File created	C:\Program Files (x86)\sbufxfxkvjcmzdqnxtktmxpxpcnbuervifpl.lep	ddnpy.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	ddnpy.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	ddnpy.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	ddnpy.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	ddnpy.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	ddnpy.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	ddnpy.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	ddnpy.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	ddnpy.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	ddnpy.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qdaplxtkzroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\odctrfdwnhgwpzsvlnkz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\bpndankcsljyqzrtijf.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	ddnpy.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\htpdyjeuizviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ulmffvvqjfgytfafxbarsl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\algtnxrgtjeqflaz.exe	ddnpy.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\dttlkzyskffwqbvzqtrhh.exe	vcmnxryrfmw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcmnxryrfmw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddnpy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpndankcsljyqzrtijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdaplxtkzroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algtnxrgtjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odctrfdwnhgwpzsvlnkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htpdyjeuizviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dttlkzyskffwqbvzqtrhh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
6124	ddnpy.exe
6124	ddnpy.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
6124	ddnpy.exe
6124	ddnpy.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6124	ddnpy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 1960	5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe	88
PID 5328 wrote to memory of 1960	5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe	88
PID 5328 wrote to memory of 1960	5328	JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe	88
PID 4832 wrote to memory of 5132	4832	cmd.exe	91
PID 4832 wrote to memory of 5132	4832	cmd.exe	91
PID 4832 wrote to memory of 5132	4832	cmd.exe	91
PID 1620 wrote to memory of 1940	1620	cmd.exe	96
PID 1620 wrote to memory of 1940	1620	cmd.exe	96
PID 1620 wrote to memory of 1940	1620	cmd.exe	96
PID 1940 wrote to memory of 5144	1940	dttlkzyskffwqbvzqtrhh.exe	97
PID 1940 wrote to memory of 5144	1940	dttlkzyskffwqbvzqtrhh.exe	97
PID 1940 wrote to memory of 5144	1940	dttlkzyskffwqbvzqtrhh.exe	97
PID 4192 wrote to memory of 632	4192	cmd.exe	102
PID 4192 wrote to memory of 632	4192	cmd.exe	102
PID 4192 wrote to memory of 632	4192	cmd.exe	102
PID 5172 wrote to memory of 3940	5172	cmd.exe	105
PID 5172 wrote to memory of 3940	5172	cmd.exe	105
PID 5172 wrote to memory of 3940	5172	cmd.exe	105
PID 5064 wrote to memory of 4904	5064	cmd.exe	108
PID 5064 wrote to memory of 4904	5064	cmd.exe	108
PID 5064 wrote to memory of 4904	5064	cmd.exe	108
PID 3940 wrote to memory of 5604	3940	bpndankcsljyqzrtijf.exe	109
PID 3940 wrote to memory of 5604	3940	bpndankcsljyqzrtijf.exe	109
PID 3940 wrote to memory of 5604	3940	bpndankcsljyqzrtijf.exe	109
PID 5960 wrote to memory of 5136	5960	cmd.exe	172
PID 5960 wrote to memory of 5136	5960	cmd.exe	172
PID 5960 wrote to memory of 5136	5960	cmd.exe	172
PID 5136 wrote to memory of 408	5136	dttlkzyskffwqbvzqtrhh.exe	111
PID 5136 wrote to memory of 408	5136	dttlkzyskffwqbvzqtrhh.exe	111
PID 5136 wrote to memory of 408	5136	dttlkzyskffwqbvzqtrhh.exe	111
PID 1252 wrote to memory of 5644	1252	cmd.exe	177
PID 1252 wrote to memory of 5644	1252	cmd.exe	177
PID 1252 wrote to memory of 5644	1252	cmd.exe	177
PID 5952 wrote to memory of 1864	5952	cmd.exe	119
PID 5952 wrote to memory of 1864	5952	cmd.exe	119
PID 5952 wrote to memory of 1864	5952	cmd.exe	119
PID 1864 wrote to memory of 2096	1864	qdaplxtkzroctbsthh.exe	120
PID 1864 wrote to memory of 2096	1864	qdaplxtkzroctbsthh.exe	120
PID 1864 wrote to memory of 2096	1864	qdaplxtkzroctbsthh.exe	120
PID 1960 wrote to memory of 6124	1960	vcmnxryrfmw.exe	121
PID 1960 wrote to memory of 6124	1960	vcmnxryrfmw.exe	121
PID 1960 wrote to memory of 6124	1960	vcmnxryrfmw.exe	121
PID 1960 wrote to memory of 668	1960	vcmnxryrfmw.exe	122
PID 1960 wrote to memory of 668	1960	vcmnxryrfmw.exe	122
PID 1960 wrote to memory of 668	1960	vcmnxryrfmw.exe	122
PID 5420 wrote to memory of 880	5420	cmd.exe	129
PID 5420 wrote to memory of 880	5420	cmd.exe	129
PID 5420 wrote to memory of 880	5420	cmd.exe	129
PID 2180 wrote to memory of 4216	2180	cmd.exe	130
PID 2180 wrote to memory of 4216	2180	cmd.exe	130
PID 2180 wrote to memory of 4216	2180	cmd.exe	130
PID 3664 wrote to memory of 5716	3664	cmd.exe	133
PID 3664 wrote to memory of 5716	3664	cmd.exe	133
PID 3664 wrote to memory of 5716	3664	cmd.exe	133
PID 2504 wrote to memory of 4072	2504	cmd.exe	136
PID 2504 wrote to memory of 4072	2504	cmd.exe	136
PID 2504 wrote to memory of 4072	2504	cmd.exe	136
PID 5716 wrote to memory of 5512	5716	htpdyjeuizviyfvvi.exe	338
PID 5716 wrote to memory of 5512	5716	htpdyjeuizviyfvvi.exe	338
PID 5716 wrote to memory of 5512	5716	htpdyjeuizviyfvvi.exe	338
PID 5736 wrote to memory of 5380	5736	cmd.exe	205
PID 5736 wrote to memory of 5380	5736	cmd.exe	205
PID 5736 wrote to memory of 5380	5736	cmd.exe	205
PID 4072 wrote to memory of 448	4072	htpdyjeuizviyfvvi.exe	150

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddnpy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ddnpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ddnpy.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a2d78d1b178d991888ab31fafd86eb.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
  "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_93a2d78d1b178d991888ab31fafd86eb.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\ddnpy.exe
    "C:\Users\Admin\AppData\Local\Temp\ddnpy.exe" "-C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\ddnpy.exe
    "C:\Users\Admin\AppData\Local\Temp\ddnpy.exe" "-C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  - Executes dropped EXE
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    - Executes dropped EXE
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  - Executes dropped EXE
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5960
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    - Executes dropped EXE
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5952
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5736
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  - Executes dropped EXE
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:5236
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:1956
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:4444
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  - Executes dropped EXE
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  - Executes dropped EXE
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - Executes dropped EXE
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:2468
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5644
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  - Executes dropped EXE
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:1752
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4548
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  - Executes dropped EXE
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:936
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Executes dropped EXE
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  - Executes dropped EXE
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:1716
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  - Executes dropped EXE
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5236
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    - Executes dropped EXE
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4440
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  - Executes dropped EXE
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4192
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  - Executes dropped EXE
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:5044
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  - Executes dropped EXE
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:5544
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Executes dropped EXE
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4976
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5136
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:4804
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:4420
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:756
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4048
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:832
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:6100
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:5988
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5672
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:3940
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4716
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:4880
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1336
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:3956
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:4284
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System policy modification
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:4180
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:3708
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:5620
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:3564
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:3432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:1912
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5544
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:4480
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:1800
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:32
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1000
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1620
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:632
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5512
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:3284
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:1404
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5732
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5300
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:320
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2524
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:1236
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4812
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:6104
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:4404
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:3348
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4616
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:3600
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:4412
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3228
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:5748
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:4660
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:516
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:2960
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:1336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:3372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2124
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:536
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5940
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:4232
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:2500
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5672
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:2504
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:2916
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  - Checks computer location settings
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:1216
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:1864
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2232
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1152
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4228
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5552
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:1820
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:4640
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:2164
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:1916
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:2680
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:3636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:5424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4728
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:320
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:3788
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3036
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:1460
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:4516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4600
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5952
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:5072
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:2180
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4932
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:3796
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:5304
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1364
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:3172
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:4448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2504
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5928
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:2032
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:824
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:5000
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5264
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:1216
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4228
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5024
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:112
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4812
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:2268
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:2404
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:3040
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:5432
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:724
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:3036
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5016
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:5768
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:5604
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:2176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4256

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:5276
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:3900
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:1544
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2744
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:3668
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5976
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:6100
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2032
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:3708
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:5316
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3068
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:2332
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:716
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4804
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:1460
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:5960
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5620
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4400
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:756
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4760
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5172
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:5040
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:116
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:524
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:6100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:552
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:880
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:1852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:548
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4752
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1236
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:868
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:1956
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:4864
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:2332
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4828
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:5424
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:2620
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:4352
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5960
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:856
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:1684
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5860
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:2460
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:320
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:5396
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5596
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:5352
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:4680
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4452
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:6056
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2640
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5712
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:4684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:3792
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4036
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:3104
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:4812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:5072
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1720
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5036
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:4640
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4660
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:1752
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:956
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:2960
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:4624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6056
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:4932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4228
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:4480
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:1940
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:5296
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
1⤵
PID:3736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe .
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:628
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1932
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1992
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe .
1⤵
PID:1332
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe .
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\qdaplxtkzroctbsthh.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1716
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:5192
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:388
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5552
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4928
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:4720
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:5984
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2404
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:6128
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:1656
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:852
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:4376

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:3172
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:3212
- C:\Windows\odctrfdwnhgwpzsvlnkz.exe
  odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:320
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4432
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:828
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\qdaplxtkzroctbsthh.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
1⤵
PID:1544
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe .
  2⤵
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\bpndankcsljyqzrtijf.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe
1⤵
PID:3176
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:2652
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:3664
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:5512
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\htpdyjeuizviyfvvi.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
  2⤵
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\algtnxrgtjeqflaz.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  C:\Users\Admin\AppData\Local\Temp\bpndankcsljyqzrtijf.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\odctrfdwnhgwpzsvlnkz.exe*."
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:868
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:5620
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3668
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:4884
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:1988
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe .
  2⤵
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\dttlkzyskffwqbvzqtrhh.exe*."
    3⤵
    PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qdaplxtkzroctbsthh.exe
1⤵
PID:2756
- C:\Windows\qdaplxtkzroctbsthh.exe
  qdaplxtkzroctbsthh.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe
1⤵
PID:2976
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:2460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5600
- C:\Windows\dttlkzyskffwqbvzqtrhh.exe
  dttlkzyskffwqbvzqtrhh.exe
  2⤵
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:2412
- C:\Windows\bpndankcsljyqzrtijf.exe
  bpndankcsljyqzrtijf.exe .
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe .
1⤵
PID:2744
- C:\Windows\algtnxrgtjeqflaz.exe
  algtnxrgtjeqflaz.exe .
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c htpdyjeuizviyfvvi.exe .
1⤵
PID:2816
- C:\Windows\htpdyjeuizviyfvvi.exe
  htpdyjeuizviyfvvi.exe .
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:1552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5732
- C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c algtnxrgtjeqflaz.exe
1⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\algtnxrgtjeqflaz.exe .
1⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpndankcsljyqzrtijf.exe .
1⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe
1⤵
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe .
1⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htpdyjeuizviyfvvi.exe
1⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odctrfdwnhgwpzsvlnkz.exe .
1⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dttlkzyskffwqbvzqtrhh.exe
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry