pykspa | 839e4463d38910e7b4b6548985a95711dc11371a6a94f36716b0d222260ae275

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00090000000227aa-4.dat	family_pykspa
behavioral2/files/0x00070000000242a3-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "cumhbfxsiffwqbvzqtqia.exe"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "zmzpedqgrjeqflaz.exe"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "petlcdskxroctbsthh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qakxjfpckzram = "petlcdskxroctbsthh.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgnxgzgqvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	vcmnxryrfmw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zmzpedqgrjeqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nevpilcwlhgwpzsvlnja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	guizppdugzviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	cumhbfxsiffwqbvzqtqia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	petlcdskxroctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	aqgzrtjcqljyqzrtije.exe

Executes dropped EXE 64 IoCs

pid	Process
2392	vcmnxryrfmw.exe
3812	guizppdugzviyfvvi.exe
5592	aqgzrtjcqljyqzrtije.exe
3248	guizppdugzviyfvvi.exe
2924	vcmnxryrfmw.exe
2224	guizppdugzviyfvvi.exe
4048	aqgzrtjcqljyqzrtije.exe
2496	cumhbfxsiffwqbvzqtqia.exe
2428	vcmnxryrfmw.exe
5648	vcmnxryrfmw.exe
2564	cumhbfxsiffwqbvzqtqia.exe
5280	petlcdskxroctbsthh.exe
1076	vcmnxryrfmw.exe
5624	nqtzet.exe
5668	nqtzet.exe
3336	guizppdugzviyfvvi.exe
3888	nevpilcwlhgwpzsvlnja.exe
3368	petlcdskxroctbsthh.exe
2448	zmzpedqgrjeqflaz.exe
4852	vcmnxryrfmw.exe
2984	vcmnxryrfmw.exe
4708	cumhbfxsiffwqbvzqtqia.exe
4952	cumhbfxsiffwqbvzqtqia.exe
4976	guizppdugzviyfvvi.exe
5572	cumhbfxsiffwqbvzqtqia.exe
3116	petlcdskxroctbsthh.exe
4184	cumhbfxsiffwqbvzqtqia.exe
1088	nevpilcwlhgwpzsvlnja.exe
676	cumhbfxsiffwqbvzqtqia.exe
3488	petlcdskxroctbsthh.exe
1988	petlcdskxroctbsthh.exe
2564	vcmnxryrfmw.exe
2348	vcmnxryrfmw.exe
3772	petlcdskxroctbsthh.exe
5788	nevpilcwlhgwpzsvlnja.exe
5420	vcmnxryrfmw.exe
2572	vcmnxryrfmw.exe
3120	zmzpedqgrjeqflaz.exe
3736	vcmnxryrfmw.exe
980	vcmnxryrfmw.exe
2560	aqgzrtjcqljyqzrtije.exe
1684	vcmnxryrfmw.exe
5952	cumhbfxsiffwqbvzqtqia.exe
3584	cumhbfxsiffwqbvzqtqia.exe
2044	petlcdskxroctbsthh.exe
3752	vcmnxryrfmw.exe
4100	aqgzrtjcqljyqzrtije.exe
4780	vcmnxryrfmw.exe
2480	cumhbfxsiffwqbvzqtqia.exe
3128	aqgzrtjcqljyqzrtije.exe
2924	vcmnxryrfmw.exe
4048	zmzpedqgrjeqflaz.exe
2804	petlcdskxroctbsthh.exe
3372	petlcdskxroctbsthh.exe
5052	petlcdskxroctbsthh.exe
2348	zmzpedqgrjeqflaz.exe
512	vcmnxryrfmw.exe
3120	zmzpedqgrjeqflaz.exe
4740	cumhbfxsiffwqbvzqtqia.exe
6112	vcmnxryrfmw.exe
5744	petlcdskxroctbsthh.exe
5932	vcmnxryrfmw.exe
5372	cumhbfxsiffwqbvzqtqia.exe
3328	zmzpedqgrjeqflaz.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	nqtzet.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	nqtzet.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	nqtzet.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	nqtzet.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	nqtzet.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	nqtzet.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "cumhbfxsiffwqbvzqtqia.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnbolwktjcmzd = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "guizppdugzviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "petlcdskxroctbsthh.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnbolwktjcmzd = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "aqgzrtjcqljyqzrtije.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnbolwktjcmzd = "petlcdskxroctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "cumhbfxsiffwqbvzqtqia.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe"	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnbolwktjcmzd = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "nevpilcwlhgwpzsvlnja.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "guizppdugzviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "petlcdskxroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqgzrtjcqljyqzrtije.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "zmzpedqgrjeqflaz.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnbolwktjcmzd = "cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "nevpilcwlhgwpzsvlnja.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "petlcdskxroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "petlcdskxroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nevpilcwlhgwpzsvlnja.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe"	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cumhbfxsiffwqbvzqtqia.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "aqgzrtjcqljyqzrtije.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guizppdugzviyfvvi.exe"	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "cumhbfxsiffwqbvzqtqia.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "cumhbfxsiffwqbvzqtqia.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "nevpilcwlhgwpzsvlnja.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guizppdugzviyfvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmzpedqgrjeqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "aqgzrtjcqljyqzrtije.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "zmzpedqgrjeqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ugshvtfuevpaoth = "nevpilcwlhgwpzsvlnja.exe ."	nqtzet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uckvfzhsylb = "guizppdugzviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zmzpedqgrjeqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\petlcdskxroctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "aqgzrtjcqljyqzrtije.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rajvgbkwdriq = "petlcdskxroctbsthh.exe ."	nqtzet.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nqtzet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nqtzet.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	www.whatismyip.ca
27	whatismyip.everdot.org
31	www.whatismyip.ca
32	www.showmyipaddress.com
35	whatismyip.everdot.org
36	www.whatismyip.ca
41	www.whatismyip.ca
22	whatismyipaddress.com
42	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	nqtzet.exe
File created	C:\Windows\SysWOW64\hgfhitsurvcabtufdnrqprsd.ebf	nqtzet.exe
File created	C:\Windows\SysWOW64\qakxjfpckzrampbxgbqakxjfpckzrampbxg.qak	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\hgfhitsurvcabtufdnrqprsd.ebf	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	nqtzet.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hgfhitsurvcabtufdnrqprsd.ebf	nqtzet.exe
File created	C:\Program Files (x86)\hgfhitsurvcabtufdnrqprsd.ebf	nqtzet.exe
File opened for modification	C:\Program Files (x86)\qakxjfpckzrampbxgbqakxjfpckzrampbxg.qak	nqtzet.exe
File created	C:\Program Files (x86)\qakxjfpckzrampbxgbqakxjfpckzrampbxg.qak	nqtzet.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qakxjfpckzrampbxgbqakxjfpckzrampbxg.qak	nqtzet.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	nqtzet.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zmzpedqgrjeqflaz.exe	nqtzet.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File created	C:\Windows\qakxjfpckzrampbxgbqakxjfpckzrampbxg.qak	nqtzet.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	nqtzet.exe
File opened for modification	C:\Windows\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	nqtzet.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	nqtzet.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\aqgzrtjcqljyqzrtije.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\petlcdskxroctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nevpilcwlhgwpzsvlnja.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zmzpedqgrjeqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tmfbwbuqhfgytfafxbzslh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	nqtzet.exe
File opened for modification	C:\Windows\cumhbfxsiffwqbvzqtqia.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\guizppdugzviyfvvi.exe	vcmnxryrfmw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cumhbfxsiffwqbvzqtqia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmzpedqgrjeqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nevpilcwlhgwpzsvlnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	petlcdskxroctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqgzrtjcqljyqzrtije.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guizppdugzviyfvvi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5624	nqtzet.exe
5624	nqtzet.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5624	nqtzet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5504 wrote to memory of 2392	5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe	90
PID 5504 wrote to memory of 2392	5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe	90
PID 5504 wrote to memory of 2392	5504	JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe	90
PID 4784 wrote to memory of 3812	4784	cmd.exe	95
PID 4784 wrote to memory of 3812	4784	cmd.exe	95
PID 4784 wrote to memory of 3812	4784	cmd.exe	95
PID 1240 wrote to memory of 5592	1240	cmd.exe	98
PID 1240 wrote to memory of 5592	1240	cmd.exe	98
PID 1240 wrote to memory of 5592	1240	cmd.exe	98
PID 5080 wrote to memory of 3248	5080	cmd.exe	103
PID 5080 wrote to memory of 3248	5080	cmd.exe	103
PID 5080 wrote to memory of 3248	5080	cmd.exe	103
PID 5592 wrote to memory of 2924	5592	aqgzrtjcqljyqzrtije.exe	104
PID 5592 wrote to memory of 2924	5592	aqgzrtjcqljyqzrtije.exe	104
PID 5592 wrote to memory of 2924	5592	aqgzrtjcqljyqzrtije.exe	104
PID 5076 wrote to memory of 2224	5076	cmd.exe	107
PID 5076 wrote to memory of 2224	5076	cmd.exe	107
PID 5076 wrote to memory of 2224	5076	cmd.exe	107
PID 776 wrote to memory of 4048	776	cmd.exe	110
PID 776 wrote to memory of 4048	776	cmd.exe	110
PID 776 wrote to memory of 4048	776	cmd.exe	110
PID 1932 wrote to memory of 2496	1932	cmd.exe	112
PID 1932 wrote to memory of 2496	1932	cmd.exe	112
PID 1932 wrote to memory of 2496	1932	cmd.exe	112
PID 2224 wrote to memory of 2428	2224	guizppdugzviyfvvi.exe	113
PID 2224 wrote to memory of 2428	2224	guizppdugzviyfvvi.exe	113
PID 2224 wrote to memory of 2428	2224	guizppdugzviyfvvi.exe	113
PID 2496 wrote to memory of 5648	2496	cumhbfxsiffwqbvzqtqia.exe	118
PID 2496 wrote to memory of 5648	2496	cumhbfxsiffwqbvzqtqia.exe	118
PID 2496 wrote to memory of 5648	2496	cumhbfxsiffwqbvzqtqia.exe	118
PID 4264 wrote to memory of 2564	4264	cmd.exe	234
PID 4264 wrote to memory of 2564	4264	cmd.exe	234
PID 4264 wrote to memory of 2564	4264	cmd.exe	234
PID 1004 wrote to memory of 5280	1004	cmd.exe	121
PID 1004 wrote to memory of 5280	1004	cmd.exe	121
PID 1004 wrote to memory of 5280	1004	cmd.exe	121
PID 5280 wrote to memory of 1076	5280	petlcdskxroctbsthh.exe	122
PID 5280 wrote to memory of 1076	5280	petlcdskxroctbsthh.exe	122
PID 5280 wrote to memory of 1076	5280	petlcdskxroctbsthh.exe	122
PID 2392 wrote to memory of 5624	2392	vcmnxryrfmw.exe	123
PID 2392 wrote to memory of 5624	2392	vcmnxryrfmw.exe	123
PID 2392 wrote to memory of 5624	2392	vcmnxryrfmw.exe	123
PID 2392 wrote to memory of 5668	2392	vcmnxryrfmw.exe	124
PID 2392 wrote to memory of 5668	2392	vcmnxryrfmw.exe	124
PID 2392 wrote to memory of 5668	2392	vcmnxryrfmw.exe	124
PID 4156 wrote to memory of 3336	4156	cmd.exe	130
PID 4156 wrote to memory of 3336	4156	cmd.exe	130
PID 4156 wrote to memory of 3336	4156	cmd.exe	130
PID 5840 wrote to memory of 3888	5840	cmd.exe	330
PID 5840 wrote to memory of 3888	5840	cmd.exe	330
PID 5840 wrote to memory of 3888	5840	cmd.exe	330
PID 3348 wrote to memory of 3368	3348	cmd.exe	136
PID 3348 wrote to memory of 3368	3348	cmd.exe	136
PID 3348 wrote to memory of 3368	3348	cmd.exe	136
PID 3200 wrote to memory of 2448	3200	cmd.exe	141
PID 3200 wrote to memory of 2448	3200	cmd.exe	141
PID 3200 wrote to memory of 2448	3200	cmd.exe	141
PID 2448 wrote to memory of 4852	2448	zmzpedqgrjeqflaz.exe	284
PID 2448 wrote to memory of 4852	2448	zmzpedqgrjeqflaz.exe	284
PID 2448 wrote to memory of 4852	2448	zmzpedqgrjeqflaz.exe	284
PID 3368 wrote to memory of 2984	3368	petlcdskxroctbsthh.exe	155
PID 3368 wrote to memory of 2984	3368	petlcdskxroctbsthh.exe	155
PID 3368 wrote to memory of 2984	3368	petlcdskxroctbsthh.exe	155
PID 6028 wrote to memory of 4708	6028	cmd.exe	158

System policy modification 1 TTPs 60 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nqtzet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nqtzet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nqtzet.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97a06d4c34869003ce06d22cf844ee41.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5504
- C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
  "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_97a06d4c34869003ce06d22cf844ee41.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\nqtzet.exe
    "C:\Users\Admin\AppData\Local\Temp\nqtzet.exe" "-C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5624
- - C:\Users\Admin\AppData\Local\Temp\nqtzet.exe
    "C:\Users\Admin\AppData\Local\Temp\nqtzet.exe" "-C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    - Executes dropped EXE
    PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  - Executes dropped EXE
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Executes dropped EXE
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5840
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  - Executes dropped EXE
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6028
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:1616
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:6044
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Executes dropped EXE
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4536
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Executes dropped EXE
    PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Executes dropped EXE
    PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  - Executes dropped EXE
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:832
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:5168
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4256
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    - Executes dropped EXE
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:436
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3628
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Executes dropped EXE
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4364
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    - Executes dropped EXE
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:400
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:1108
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:3764
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:5436
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:432
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3488
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4008
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:928
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:2388
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  - Executes dropped EXE
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:2564
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1924
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1928
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5424
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:5952
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5044
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:1032
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:6040
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5896
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4936
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3840
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:5584
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5904
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5656
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:3332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2176
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:2400
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5612
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4676
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:1916
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:2812
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:2760
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:2332
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:2948
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:6060
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:4736
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:3536
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:1988
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3120
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:1376
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:5068
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:208
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:640
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4540
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:4692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:5096
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4356
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3116
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:2968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:908
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:6128
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:1032
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5744
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3968
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3784
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:3768
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:5732
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:2984
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:512
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:3584
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3988
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5608
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3904
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3612
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3228
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5952
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3592
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  - Checks computer location settings
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:1064
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:4860
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:6140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3128
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:5888
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:5052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3732
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3496
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4364
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3564
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:928
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:2968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5592
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:1984
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5064
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:3748
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2424
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3812
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:1532
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:3120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:2460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5956
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:3408
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:3568
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:5052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4484
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4628
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:776
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5772
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:1240
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2956
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4048
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:2904
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:1108
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:3848
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:5784
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:4728
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:5024
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1852
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:5372
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:2896
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3972
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:2340
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5512
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:5788
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3784
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:3200
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3716
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4736
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:5056
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4704
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5584
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:4876
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:6132
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:2228
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:1924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4400
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:5828
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:912
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:3944
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:4364
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3372
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3868
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:3784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:3328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:5968
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3796
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:2472
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:528
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2408
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:4172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1064
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4204
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:4872
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3612
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:972
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5976
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:5420
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4716
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:1240
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3084
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4692
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4156
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:1672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:680
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2800
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:1412
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:1200
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2224
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:3108
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:4424
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5248
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:2760
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:116
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:5080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5608
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4852
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:2116
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:5244
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1180
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:844
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5372
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:1040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4132
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:2740
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3848
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2968
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:4060
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:1240
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:3032
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:4092
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:2292
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:5424
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:5392
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:5772
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:2416
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe .
1⤵
PID:1988
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:1400
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:6096
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:2268
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:2460
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:4320
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:2708
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:4692
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:3556
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:5520
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5544
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:3716
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5460
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:5572
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:5732
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe
1⤵
PID:3756
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe
  2⤵
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe
1⤵
PID:3280
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:4848
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c petlcdskxroctbsthh.exe .
1⤵
PID:680
- C:\Windows\petlcdskxroctbsthh.exe
  petlcdskxroctbsthh.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2908
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:508
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:3888
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2632
- C:\Windows\cumhbfxsiffwqbvzqtqia.exe
  cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqgzrtjcqljyqzrtije.exe
1⤵
PID:5684
- C:\Windows\aqgzrtjcqljyqzrtije.exe
  aqgzrtjcqljyqzrtije.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c guizppdugzviyfvvi.exe .
1⤵
PID:224
- C:\Windows\guizppdugzviyfvvi.exe
  guizppdugzviyfvvi.exe .
  2⤵
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\guizppdugzviyfvvi.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:5896
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe
  C:\Users\Admin\AppData\Local\Temp\aqgzrtjcqljyqzrtije.exe .
  2⤵
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\aqgzrtjcqljyqzrtije.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
1⤵
PID:1488
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\petlcdskxroctbsthh.exe .
  2⤵
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\petlcdskxroctbsthh.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe
  C:\Users\Admin\AppData\Local\Temp\cumhbfxsiffwqbvzqtqia.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\cumhbfxsiffwqbvzqtqia.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3088
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:1200
- C:\Windows\nevpilcwlhgwpzsvlnja.exe
  nevpilcwlhgwpzsvlnja.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nevpilcwlhgwpzsvlnja.exe*."
    3⤵
    PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:5092
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3872
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
1⤵
PID:4132
- C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\guizppdugzviyfvvi.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\guizppdugzviyfvvi.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  C:\Users\Admin\AppData\Local\Temp\nevpilcwlhgwpzsvlnja.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\zmzpedqgrjeqflaz.exe .
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:6060
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe .
1⤵
PID:3976
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe .
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zmzpedqgrjeqflaz.exe*."
    3⤵
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmzpedqgrjeqflaz.exe
1⤵
PID:716
- C:\Windows\zmzpedqgrjeqflaz.exe
  zmzpedqgrjeqflaz.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nevpilcwlhgwpzsvlnja.exe .
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry