pykspa | dbd996d068c1cc16b0061d1bae1a735160b9642a197e67a2396e6a94add2dc53

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 28 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00090000000227aa-4.dat	family_pykspa
behavioral2/files/0x0008000000024289-86.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "yqbtjxmjtheqflaz.exe"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "oivphxonzpoctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "zuidwnffsjjyqzrtijd.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "yqbtjxmjtheqflaz.exe"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "oivphxonzpoctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "mixtnfyznfgwpzsvlnie.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "oivphxonzpoctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qelzlvgzfpiq = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqufovdtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
47	1692	sihclient.exe
51	1692	sihclient.exe
55	1692	sihclient.exe
56	1692	sihclient.exe
59	1692	sihclient.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	byolgztvkdfwqbvzqtpmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	byolgztvkdfwqbvzqtpmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	byolgztvkdfwqbvzqtpmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	byolgztvkdfwqbvzqtpmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zuidwnffsjjyqzrtijd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	oivphxonzpoctbsthh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	yqbtjxmjtheqflaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	byolgztvkdfwqbvzqtpmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	vcmnxryrfmw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mixtnfyznfgwpzsvlnie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fykdujzxixviyfvvi.exe

Executes dropped EXE 64 IoCs

pid	Process
5792	vcmnxryrfmw.exe
3624	zuidwnffsjjyqzrtijd.exe
3620	mixtnfyznfgwpzsvlnie.exe
5036	vcmnxryrfmw.exe
4880	fykdujzxixviyfvvi.exe
1104	byolgztvkdfwqbvzqtpmc.exe
4632	oivphxonzpoctbsthh.exe
1672	vcmnxryrfmw.exe
2108	mixtnfyznfgwpzsvlnie.exe
1328	vcmnxryrfmw.exe
1476	zuidwnffsjjyqzrtijd.exe
5460	zuidwnffsjjyqzrtijd.exe
1408	vcmnxryrfmw.exe
3944	ziktafl.exe
2800	ziktafl.exe
5312	mixtnfyznfgwpzsvlnie.exe
2816	oivphxonzpoctbsthh.exe
5552	zuidwnffsjjyqzrtijd.exe
5956	yqbtjxmjtheqflaz.exe
2780	vcmnxryrfmw.exe
5388	mixtnfyznfgwpzsvlnie.exe
1544	yqbtjxmjtheqflaz.exe
4960	vcmnxryrfmw.exe
5036	zuidwnffsjjyqzrtijd.exe
5076	zuidwnffsjjyqzrtijd.exe
4876	oivphxonzpoctbsthh.exe
3672	byolgztvkdfwqbvzqtpmc.exe
5004	yqbtjxmjtheqflaz.exe
1920	fykdujzxixviyfvvi.exe
3412	oivphxonzpoctbsthh.exe
5348	mixtnfyznfgwpzsvlnie.exe
1660	oivphxonzpoctbsthh.exe
4992	byolgztvkdfwqbvzqtpmc.exe
3440	vcmnxryrfmw.exe
4312	vcmnxryrfmw.exe
5740	vcmnxryrfmw.exe
1860	vcmnxryrfmw.exe
5672	oivphxonzpoctbsthh.exe
5184	vcmnxryrfmw.exe
6072	vcmnxryrfmw.exe
776	yqbtjxmjtheqflaz.exe
4684	mixtnfyznfgwpzsvlnie.exe
3908	zuidwnffsjjyqzrtijd.exe
6012	vcmnxryrfmw.exe
3660	yqbtjxmjtheqflaz.exe
2952	oivphxonzpoctbsthh.exe
4972	vcmnxryrfmw.exe
3684	vcmnxryrfmw.exe
2844	mixtnfyznfgwpzsvlnie.exe
6024	mixtnfyznfgwpzsvlnie.exe
1068	vcmnxryrfmw.exe
4032	byolgztvkdfwqbvzqtpmc.exe
1856	yqbtjxmjtheqflaz.exe
4848	zuidwnffsjjyqzrtijd.exe
2212	fykdujzxixviyfvvi.exe
1184	vcmnxryrfmw.exe
2560	oivphxonzpoctbsthh.exe
5116	byolgztvkdfwqbvzqtpmc.exe
680	mixtnfyznfgwpzsvlnie.exe
5900	mixtnfyznfgwpzsvlnie.exe
436	vcmnxryrfmw.exe
3708	vcmnxryrfmw.exe
3312	oivphxonzpoctbsthh.exe
3584	zuidwnffsjjyqzrtijd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ziktafl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ziktafl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ziktafl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ziktafl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ziktafl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ziktafl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "zuidwnffsjjyqzrtijd.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "oivphxonzpoctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "oivphxonzpoctbsthh.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "yqbtjxmjtheqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "yqbtjxmjtheqflaz.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "yqbtjxmjtheqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "byolgztvkdfwqbvzqtpmc.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "zuidwnffsjjyqzrtijd.exe"	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "mixtnfyznfgwpzsvlnie.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "yqbtjxmjtheqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "yqbtjxmjtheqflaz.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byolgztvkdfwqbvzqtpmc.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "zuidwnffsjjyqzrtijd.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "zuidwnffsjjyqzrtijd.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqbtjxmjtheqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe"	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "fykdujzxixviyfvvi.exe"	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqbtjxmjtheqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "zuidwnffsjjyqzrtijd.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zuidwnffsjjyqzrtijd.exe"	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykpbltctxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqbtjxmjtheqflaz.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "byolgztvkdfwqbvzqtpmc.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "yqbtjxmjtheqflaz.exe ."	ziktafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "yqbtjxmjtheqflaz.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgmzktdvajb = "oivphxonzpoctbsthh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgpftfsnvhcmzd = "fykdujzxixviyfvvi.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqbtjxmjtheqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pembozlfmxram = "fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqbtjxmjtheqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tkulanbxgtpaoth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mixtnfyznfgwpzsvlnie.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqbtjxmjtheqflaz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fykdujzxixviyfvvi.exe"	vcmnxryrfmw.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ziktafl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ziktafl.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ziktafl.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	whatismyip.everdot.org
23	whatismyipaddress.com
28	www.showmyipaddress.com
38	whatismyip.everdot.org
40	www.whatismyip.ca
43	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File created	C:\Windows\SysWOW64\lqotwxzjghrqslnzyjnsqvyzb.ijt	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\mixtnfyznfgwpzsvlnie.exe	ziktafl.exe
File opened for modification	C:\Windows\SysWOW64\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lqotwxzjghrqslnzyjnsqvyzb.ijt	ziktafl.exe
File opened for modification	C:\Program Files (x86)\qgpftfsnvhcmzdqnxtiyhxlxkfnzuervifpl.qzp	ziktafl.exe
File created	C:\Program Files (x86)\qgpftfsnvhcmzdqnxtiyhxlxkfnzuervifpl.qzp	ziktafl.exe
File opened for modification	C:\Program Files (x86)\lqotwxzjghrqslnzyjnsqvyzb.ijt	ziktafl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	ziktafl.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File created	C:\Windows\qgpftfsnvhcmzdqnxtiyhxlxkfnzuervifpl.qzp	ziktafl.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File created	C:\Windows\lqotwxzjghrqslnzyjnsqvyzb.ijt	ziktafl.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	ziktafl.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\byolgztvkdfwqbvzqtpmc.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	ziktafl.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	ziktafl.exe
File opened for modification	C:\Windows\lqotwxzjghrqslnzyjnsqvyzb.ijt	ziktafl.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\oivphxonzpoctbsthh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\sqhfbvqtjdgytfafxbywnl.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\mixtnfyznfgwpzsvlnie.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\fykdujzxixviyfvvi.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\yqbtjxmjtheqflaz.exe	ziktafl.exe
File opened for modification	C:\Windows\zuidwnffsjjyqzrtijd.exe	vcmnxryrfmw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqbtjxmjtheqflaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuidwnffsjjyqzrtijd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byolgztvkdfwqbvzqtpmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixtnfyznfgwpzsvlnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oivphxonzpoctbsthh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykdujzxixviyfvvi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
3944	ziktafl.exe
3944	ziktafl.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
3944	ziktafl.exe
3944	ziktafl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	ziktafl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 5792	1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe	89
PID 1484 wrote to memory of 5792	1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe	89
PID 1484 wrote to memory of 5792	1484	JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe	89
PID 4720 wrote to memory of 3624	4720	cmd.exe	94
PID 4720 wrote to memory of 3624	4720	cmd.exe	94
PID 4720 wrote to memory of 3624	4720	cmd.exe	94
PID 824 wrote to memory of 3620	824	cmd.exe	97
PID 824 wrote to memory of 3620	824	cmd.exe	97
PID 824 wrote to memory of 3620	824	cmd.exe	97
PID 3620 wrote to memory of 5036	3620	mixtnfyznfgwpzsvlnie.exe	102
PID 3620 wrote to memory of 5036	3620	mixtnfyznfgwpzsvlnie.exe	102
PID 3620 wrote to memory of 5036	3620	mixtnfyznfgwpzsvlnie.exe	102
PID 2648 wrote to memory of 4880	2648	cmd.exe	103
PID 2648 wrote to memory of 4880	2648	cmd.exe	103
PID 2648 wrote to memory of 4880	2648	cmd.exe	103
PID 5016 wrote to memory of 1104	5016	cmd.exe	106
PID 5016 wrote to memory of 1104	5016	cmd.exe	106
PID 5016 wrote to memory of 1104	5016	cmd.exe	106
PID 3536 wrote to memory of 4632	3536	cmd.exe	109
PID 3536 wrote to memory of 4632	3536	cmd.exe	109
PID 3536 wrote to memory of 4632	3536	cmd.exe	109
PID 1104 wrote to memory of 1672	1104	byolgztvkdfwqbvzqtpmc.exe	111
PID 1104 wrote to memory of 1672	1104	byolgztvkdfwqbvzqtpmc.exe	111
PID 1104 wrote to memory of 1672	1104	byolgztvkdfwqbvzqtpmc.exe	111
PID 6064 wrote to memory of 2108	6064	cmd.exe	113
PID 6064 wrote to memory of 2108	6064	cmd.exe	113
PID 6064 wrote to memory of 2108	6064	cmd.exe	113
PID 2108 wrote to memory of 1328	2108	mixtnfyznfgwpzsvlnie.exe	179
PID 2108 wrote to memory of 1328	2108	mixtnfyznfgwpzsvlnie.exe	179
PID 2108 wrote to memory of 1328	2108	mixtnfyznfgwpzsvlnie.exe	179
PID 912 wrote to memory of 1476	912	cmd.exe	119
PID 912 wrote to memory of 1476	912	cmd.exe	119
PID 912 wrote to memory of 1476	912	cmd.exe	119
PID 4284 wrote to memory of 5460	4284	cmd.exe	120
PID 4284 wrote to memory of 5460	4284	cmd.exe	120
PID 4284 wrote to memory of 5460	4284	cmd.exe	120
PID 5460 wrote to memory of 1408	5460	zuidwnffsjjyqzrtijd.exe	271
PID 5460 wrote to memory of 1408	5460	zuidwnffsjjyqzrtijd.exe	271
PID 5460 wrote to memory of 1408	5460	zuidwnffsjjyqzrtijd.exe	271
PID 5792 wrote to memory of 3944	5792	vcmnxryrfmw.exe	122
PID 5792 wrote to memory of 3944	5792	vcmnxryrfmw.exe	122
PID 5792 wrote to memory of 3944	5792	vcmnxryrfmw.exe	122
PID 5792 wrote to memory of 2800	5792	vcmnxryrfmw.exe	123
PID 5792 wrote to memory of 2800	5792	vcmnxryrfmw.exe	123
PID 5792 wrote to memory of 2800	5792	vcmnxryrfmw.exe	123
PID 1588 wrote to memory of 5312	1588	cmd.exe	129
PID 1588 wrote to memory of 5312	1588	cmd.exe	129
PID 1588 wrote to memory of 5312	1588	cmd.exe	129
PID 6032 wrote to memory of 2816	6032	cmd.exe	282
PID 6032 wrote to memory of 2816	6032	cmd.exe	282
PID 6032 wrote to memory of 2816	6032	cmd.exe	282
PID 4512 wrote to memory of 5552	4512	cmd.exe	139
PID 4512 wrote to memory of 5552	4512	cmd.exe	139
PID 4512 wrote to memory of 5552	4512	cmd.exe	139
PID 3132 wrote to memory of 5956	3132	cmd.exe	152
PID 3132 wrote to memory of 5956	3132	cmd.exe	152
PID 3132 wrote to memory of 5956	3132	cmd.exe	152
PID 5552 wrote to memory of 2780	5552	zuidwnffsjjyqzrtijd.exe	153
PID 5552 wrote to memory of 2780	5552	zuidwnffsjjyqzrtijd.exe	153
PID 5552 wrote to memory of 2780	5552	zuidwnffsjjyqzrtijd.exe	153
PID 3372 wrote to memory of 5388	3372	cmd.exe	154
PID 3372 wrote to memory of 5388	3372	cmd.exe	154
PID 3372 wrote to memory of 5388	3372	cmd.exe	154
PID 1412 wrote to memory of 1544	1412	cmd.exe	155

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ziktafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ziktafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ziktafl.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97a54819f342bcc3d614c86f790743c0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
  "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_97a54819f342bcc3d614c86f790743c0.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\ziktafl.exe
    "C:\Users\Admin\AppData\Local\Temp\ziktafl.exe" "-C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\ziktafl.exe
    "C:\Users\Admin\AppData\Local\Temp\ziktafl.exe" "-C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  - Executes dropped EXE
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Executes dropped EXE
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Executes dropped EXE
    PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  - Executes dropped EXE
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  - Executes dropped EXE
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:3940
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:4820
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    - Executes dropped EXE
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  - Executes dropped EXE
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    - Executes dropped EXE
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Executes dropped EXE
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:3436
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:3696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1328
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2912
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  - Executes dropped EXE
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2328
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Executes dropped EXE
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Executes dropped EXE
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4944
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  - Executes dropped EXE
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1648
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:2364
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  - Executes dropped EXE
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:2388
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  - Executes dropped EXE
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:5384
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    - Executes dropped EXE
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:3320
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Executes dropped EXE
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:2976
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:628
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:5608
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  - Executes dropped EXE
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3796
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  - Executes dropped EXE
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:4672
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2684
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3828
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:2744
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:3368
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:1880
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:3104
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4452
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2620
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5740
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:1180
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:6116
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:2844
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:3472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3464
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:4588
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:6068
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3624
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:2420
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4368
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4784
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:1068
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:1520
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:1104
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:6080
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3120
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:3716
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:4840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:776
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:4964
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:5328
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:5364
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5124
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:5520
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:532
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:5384
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:436
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4784
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:2580
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3204
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:4748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4344
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5516
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:5060
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:2092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5728
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:5536
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5316
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5872
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5812
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:4468

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ig8p1qieu0mktYRK6g9lhw.0.2
1⤵
- Blocklisted process makes network request
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Checks computer location settings
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:1232
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:2484
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:4916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4280
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:5076
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:5744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:3876
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:4528
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3364
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:400
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:1516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:4940
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1184
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4200
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4084
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - Checks computer location settings
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:5512
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:3284
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:704
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2528
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:3520
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:3896
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:5316
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4596
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:2080
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4656
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:4900
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:5644
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:6132
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2912
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4360
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:1360
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:5552
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:2468
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:1520
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4752
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:4588
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:4772
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6048
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:5004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  - Checks computer location settings
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  - Checks computer location settings
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:4864
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:1144
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:1676
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:5880
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2636
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2956
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:5928
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4520
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5496
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:1020
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:4892
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:1036
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:5124
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2452
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1948
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6140
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:1740
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:1504
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5276
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:1408
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:1140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:2012
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:604
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6048
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:3504
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:3544
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:5340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4520
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4588
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4832
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5860
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:3416
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:4460
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:3512
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:6080
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1772
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:904
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:4984
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4776
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3876
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1392
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:604
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:4324
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:3688
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:3716
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:208
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:2756
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5912
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:5480
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:2952
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:3320
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5804
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:3488
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4832
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:5920
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2064
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:1740
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4748
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:984
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4360
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4588
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2888
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:2468
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:2024
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:3280
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:3860
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:2392
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:3488
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:4452
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:3172
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:3128
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:1920
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:6076
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:3408
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:3180
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:3908
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:3036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1216
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:704
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:1864
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:3952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2916
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:3568
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:5252
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:2808
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:2980
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:4104
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:1648
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:1676
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1180
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3416
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:5608
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:3896
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:2872
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5300
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:5940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5860
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:1512
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:4272
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe .
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:3620
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:2812
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
1⤵
PID:2752
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5236
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:4724
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:4644
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe
1⤵
PID:1852
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:2844
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe .
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\oivphxonzpoctbsthh.exe*."
    3⤵
    PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4316
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqbtjxmjtheqflaz.exe .
1⤵
PID:2852
- C:\Windows\yqbtjxmjtheqflaz.exe
  yqbtjxmjtheqflaz.exe .
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:4764
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:1752
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  C:\Users\Admin\AppData\Local\Temp\oivphxonzpoctbsthh.exe
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:5300
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe
1⤵
PID:2164
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:220
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe
1⤵
PID:1476
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:1016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4492
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fykdujzxixviyfvvi.exe .
1⤵
PID:5676
- C:\Windows\fykdujzxixviyfvvi.exe
  fykdujzxixviyfvvi.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4772
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:2808
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe
  C:\Users\Admin\AppData\Local\Temp\zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:1520
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe
1⤵
PID:1408
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe .
1⤵
PID:6076
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c byolgztvkdfwqbvzqtpmc.exe
1⤵
PID:5852
- C:\Windows\byolgztvkdfwqbvzqtpmc.exe
  byolgztvkdfwqbvzqtpmc.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe
  C:\Users\Admin\AppData\Local\Temp\byolgztvkdfwqbvzqtpmc.exe .
  2⤵
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\byolgztvkdfwqbvzqtpmc.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zuidwnffsjjyqzrtijd.exe .
1⤵
PID:6004
- C:\Windows\zuidwnffsjjyqzrtijd.exe
  zuidwnffsjjyqzrtijd.exe .
  2⤵
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zuidwnffsjjyqzrtijd.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\mixtnfyznfgwpzsvlnie.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  C:\Users\Admin\AppData\Local\Temp\mixtnfyznfgwpzsvlnie.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe
  C:\Users\Admin\AppData\Local\Temp\yqbtjxmjtheqflaz.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\yqbtjxmjtheqflaz.exe*."
    3⤵
    PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe
  C:\Users\Admin\AppData\Local\Temp\fykdujzxixviyfvvi.exe .
  2⤵
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\fykdujzxixviyfvvi.exe*."
    3⤵
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oivphxonzpoctbsthh.exe
1⤵
PID:4944
- C:\Windows\oivphxonzpoctbsthh.exe
  oivphxonzpoctbsthh.exe
  2⤵
  PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mixtnfyznfgwpzsvlnie.exe .
1⤵
PID:4252
- C:\Windows\mixtnfyznfgwpzsvlnie.exe
  mixtnfyznfgwpzsvlnie.exe .
  2⤵
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry