pykspa | a2c7d8f49e2a4d74df79df52b5a7aa0eb0ea546383ae020cc6e104d97aa8c216

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 25 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00080000000242a5-5.dat	family_pykspa
behavioral2/files/0x00080000000242c3-116.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "hvkzykeplzwkmjqan.exe"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "ofxprgdrqhhyddnaqakb.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "ofxprgdrqhhyddnaqakb.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "dvohkaynnfgyefqevgrjc.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "dvohkaynnfgyefqevgrjc.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "hvkzykeplzwkmjqan.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "brizaokxvlkaedmynwf.exe"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dfily = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qvbhxaln = "anbpnyrbwjfstpve.exe"	wearswdegok.exe

Disables RegEdit via registry modification 18 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	wearswdegok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	qfvllytfcrpehfnymu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	brizaokxvlkaedmynwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	dvohkaynnfgyefqevgrjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	anbpnyrbwjfstpve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	hvkzykeplzwkmjqan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ofxprgdrqhhyddnaqakb.exe

Executes dropped EXE 64 IoCs

pid	Process
5068	wearswdegok.exe
3620	hvkzykeplzwkmjqan.exe
3360	hvkzykeplzwkmjqan.exe
6140	wearswdegok.exe
2980	qfvllytfcrpehfnymu.exe
2692	anbpnyrbwjfstpve.exe
1344	wearswdegok.exe
4448	hvkzykeplzwkmjqan.exe
1888	qfvllytfcrpehfnymu.exe
1052	wearswdegok.exe
3588	brizaokxvlkaedmynwf.exe
4344	dvohkaynnfgyefqevgrjc.exe
2908	wearswdegok.exe
3716	bfkpegq.exe
6104	bfkpegq.exe
3080	dvohkaynnfgyefqevgrjc.exe
3860	dvohkaynnfgyefqevgrjc.exe
3092	brizaokxvlkaedmynwf.exe
4460	brizaokxvlkaedmynwf.exe
5064	wearswdegok.exe
4896	dvohkaynnfgyefqevgrjc.exe
5044	wearswdegok.exe
3708	dvohkaynnfgyefqevgrjc.exe
5588	ofxprgdrqhhyddnaqakb.exe
3360	qfvllytfcrpehfnymu.exe
4196	ofxprgdrqhhyddnaqakb.exe
1352	brizaokxvlkaedmynwf.exe
1284	brizaokxvlkaedmynwf.exe
1428	qfvllytfcrpehfnymu.exe
2944	wearswdegok.exe
3932	wearswdegok.exe
3056	wearswdegok.exe
5376	wearswdegok.exe
5840	qfvllytfcrpehfnymu.exe
3164	qfvllytfcrpehfnymu.exe
4136	wearswdegok.exe
668	wearswdegok.exe
3160	ofxprgdrqhhyddnaqakb.exe
3524	ofxprgdrqhhyddnaqakb.exe
2040	qfvllytfcrpehfnymu.exe
1824	brizaokxvlkaedmynwf.exe
4024	wearswdegok.exe
5964	anbpnyrbwjfstpve.exe
2080	ofxprgdrqhhyddnaqakb.exe
5976	wearswdegok.exe
4856	anbpnyrbwjfstpve.exe
4480	anbpnyrbwjfstpve.exe
5096	wearswdegok.exe
5064	qfvllytfcrpehfnymu.exe
1476	brizaokxvlkaedmynwf.exe
3892	wearswdegok.exe
5220	ofxprgdrqhhyddnaqakb.exe
5792	ofxprgdrqhhyddnaqakb.exe
3352	hvkzykeplzwkmjqan.exe
1548	hvkzykeplzwkmjqan.exe
5892	wearswdegok.exe
4320	wearswdegok.exe
1876	hvkzykeplzwkmjqan.exe
1960	hvkzykeplzwkmjqan.exe
4332	brizaokxvlkaedmynwf.exe
3164	dvohkaynnfgyefqevgrjc.exe
5164	dvohkaynnfgyefqevgrjc.exe
4192	hvkzykeplzwkmjqan.exe
5616	brizaokxvlkaedmynwf.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	bfkpegq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	bfkpegq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	bfkpegq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	bfkpegq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	bfkpegq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	bfkpegq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "dvohkaynnfgyefqevgrjc.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orvzno = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "hvkzykeplzwkmjqan.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "brizaokxvlkaedmynwf.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "ofxprgdrqhhyddnaqakb.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "brizaokxvlkaedmynwf.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "hvkzykeplzwkmjqan.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "ofxprgdrqhhyddnaqakb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "brizaokxvlkaedmynwf.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "ofxprgdrqhhyddnaqakb.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "dvohkaynnfgyefqevgrjc.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "anbpnyrbwjfstpve.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orvzno = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "brizaokxvlkaedmynwf.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "qfvllytfcrpehfnymu.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "anbpnyrbwjfstpve.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxprgdrqhhyddnaqakb.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdmvouindlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbpnyrbwjfstpve.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orvzno = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brizaokxvlkaedmynwf.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bfkpegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvohkaynnfgyefqevgrjc.exe ."	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkzykeplzwkmjqan.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ahpxpuhlah = "ofxprgdrqhhyddnaqakb.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblvpwlrirjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnubswilz = "dvohkaynnfgyefqevgrjc.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "qfvllytfcrpehfnymu.exe"	bfkpegq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orvzno = "qfvllytfcrpehfnymu.exe"	bfkpegq.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bfkpegq.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	www.showmyipaddress.com
39	whatismyipaddress.com
41	whatismyip.everdot.org
43	www.whatismyip.ca
45	whatismyip.everdot.org
50	whatismyip.everdot.org
29	www.whatismyip.ca

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	bfkpegq.exe
File created	C:\autorun.inf	bfkpegq.exe
File opened for modification	F:\autorun.inf	bfkpegq.exe
File created	F:\autorun.inf	bfkpegq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\sdpbxgxfyjdonhlscgkvhtpypxqbvgfzdkuy.nzl	bfkpegq.exe
File created	C:\Windows\SysWOW64\sdpbxgxfyjdonhlscgkvhtpypxqbvgfzdkuy.nzl	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File created	C:\Windows\SysWOW64\nnopayebjjssgpiedwppqrcag.llu	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\hvkzykeplzwkmjqan.exe	bfkpegq.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nnopayebjjssgpiedwppqrcag.llu	bfkpegq.exe
File opened for modification	C:\Program Files (x86)\sdpbxgxfyjdonhlscgkvhtpypxqbvgfzdkuy.nzl	bfkpegq.exe
File created	C:\Program Files (x86)\sdpbxgxfyjdonhlscgkvhtpypxqbvgfzdkuy.nzl	bfkpegq.exe
File opened for modification	C:\Program Files (x86)\nnopayebjjssgpiedwppqrcag.llu	bfkpegq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	bfkpegq.exe
File created	C:\Windows\nnopayebjjssgpiedwppqrcag.llu	bfkpegq.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	bfkpegq.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	bfkpegq.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	bfkpegq.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\brizaokxvlkaedmynwf.exe	bfkpegq.exe
File opened for modification	C:\Windows\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\brizaokxvlkaedmynwf.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	bfkpegq.exe
File opened for modification	C:\Windows\hvkzykeplzwkmjqan.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\unhbfwvlmfhahjvkcoatnh.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	bfkpegq.exe
File opened for modification	C:\Windows\dvohkaynnfgyefqevgrjc.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\ofxprgdrqhhyddnaqakb.exe	wearswdegok.exe
File opened for modification	C:\Windows\qfvllytfcrpehfnymu.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe
File opened for modification	C:\Windows\anbpnyrbwjfstpve.exe	wearswdegok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfkpegq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfvllytfcrpehfnymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvohkaynnfgyefqevgrjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvkzykeplzwkmjqan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbpnyrbwjfstpve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brizaokxvlkaedmynwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofxprgdrqhhyddnaqakb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
3716	bfkpegq.exe
3716	bfkpegq.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
3716	bfkpegq.exe
3716	bfkpegq.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	bfkpegq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 5068	800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe	89
PID 800 wrote to memory of 5068	800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe	89
PID 800 wrote to memory of 5068	800	JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe	89
PID 3968 wrote to memory of 3620	3968	cmd.exe	92
PID 3968 wrote to memory of 3620	3968	cmd.exe	92
PID 3968 wrote to memory of 3620	3968	cmd.exe	92
PID 4944 wrote to memory of 3360	4944	cmd.exe	157
PID 4944 wrote to memory of 3360	4944	cmd.exe	157
PID 4944 wrote to memory of 3360	4944	cmd.exe	157
PID 3360 wrote to memory of 6140	3360	hvkzykeplzwkmjqan.exe	98
PID 3360 wrote to memory of 6140	3360	hvkzykeplzwkmjqan.exe	98
PID 3360 wrote to memory of 6140	3360	hvkzykeplzwkmjqan.exe	98
PID 2640 wrote to memory of 2980	2640	cmd.exe	101
PID 2640 wrote to memory of 2980	2640	cmd.exe	101
PID 2640 wrote to memory of 2980	2640	cmd.exe	101
PID 2380 wrote to memory of 2692	2380	cmd.exe	295
PID 2380 wrote to memory of 2692	2380	cmd.exe	295
PID 2380 wrote to memory of 2692	2380	cmd.exe	295
PID 2692 wrote to memory of 1344	2692	anbpnyrbwjfstpve.exe	107
PID 2692 wrote to memory of 1344	2692	anbpnyrbwjfstpve.exe	107
PID 2692 wrote to memory of 1344	2692	anbpnyrbwjfstpve.exe	107
PID 1396 wrote to memory of 4448	1396	cmd.exe	110
PID 1396 wrote to memory of 4448	1396	cmd.exe	110
PID 1396 wrote to memory of 4448	1396	cmd.exe	110
PID 3956 wrote to memory of 1888	3956	cmd.exe	111
PID 3956 wrote to memory of 1888	3956	cmd.exe	111
PID 3956 wrote to memory of 1888	3956	cmd.exe	111
PID 1888 wrote to memory of 1052	1888	qfvllytfcrpehfnymu.exe	112
PID 1888 wrote to memory of 1052	1888	qfvllytfcrpehfnymu.exe	112
PID 1888 wrote to memory of 1052	1888	qfvllytfcrpehfnymu.exe	112
PID 5676 wrote to memory of 3588	5676	cmd.exe	115
PID 5676 wrote to memory of 3588	5676	cmd.exe	115
PID 5676 wrote to memory of 3588	5676	cmd.exe	115
PID 5300 wrote to memory of 4344	5300	cmd.exe	243
PID 5300 wrote to memory of 4344	5300	cmd.exe	243
PID 5300 wrote to memory of 4344	5300	cmd.exe	243
PID 4344 wrote to memory of 2908	4344	dvohkaynnfgyefqevgrjc.exe	120
PID 4344 wrote to memory of 2908	4344	dvohkaynnfgyefqevgrjc.exe	120
PID 4344 wrote to memory of 2908	4344	dvohkaynnfgyefqevgrjc.exe	120
PID 5068 wrote to memory of 3716	5068	wearswdegok.exe	122
PID 5068 wrote to memory of 3716	5068	wearswdegok.exe	122
PID 5068 wrote to memory of 3716	5068	wearswdegok.exe	122
PID 5068 wrote to memory of 6104	5068	wearswdegok.exe	123
PID 5068 wrote to memory of 6104	5068	wearswdegok.exe	123
PID 5068 wrote to memory of 6104	5068	wearswdegok.exe	123
PID 2424 wrote to memory of 3080	2424	cmd.exe	260
PID 2424 wrote to memory of 3080	2424	cmd.exe	260
PID 2424 wrote to memory of 3080	2424	cmd.exe	260
PID 3684 wrote to memory of 3860	3684	cmd.exe	129
PID 3684 wrote to memory of 3860	3684	cmd.exe	129
PID 3684 wrote to memory of 3860	3684	cmd.exe	129
PID 4644 wrote to memory of 3092	4644	cmd.exe	134
PID 4644 wrote to memory of 3092	4644	cmd.exe	134
PID 4644 wrote to memory of 3092	4644	cmd.exe	134
PID 4364 wrote to memory of 4460	4364	cmd.exe	135
PID 4364 wrote to memory of 4460	4364	cmd.exe	135
PID 4364 wrote to memory of 4460	4364	cmd.exe	135
PID 3092 wrote to memory of 5044	3092	brizaokxvlkaedmynwf.exe	141
PID 3092 wrote to memory of 5044	3092	brizaokxvlkaedmynwf.exe	141
PID 3092 wrote to memory of 5044	3092	brizaokxvlkaedmynwf.exe	141
PID 4460 wrote to memory of 5064	4460	brizaokxvlkaedmynwf.exe	143
PID 4460 wrote to memory of 5064	4460	brizaokxvlkaedmynwf.exe	143
PID 4460 wrote to memory of 5064	4460	brizaokxvlkaedmynwf.exe	143
PID 2008 wrote to memory of 4896	2008	cmd.exe	142

System policy modification 1 TTPs 62 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bfkpegq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bfkpegq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
  "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\bfkpegq.exe
    "C:\Users\Admin\AppData\Local\Temp\bfkpegq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3716
- - C:\Users\Admin\AppData\Local\Temp\bfkpegq.exe
    "C:\Users\Admin\AppData\Local\Temp\bfkpegq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9573b06e5dbcb0a2dac71b4ba63da8dc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    - Executes dropped EXE
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  - Executes dropped EXE
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    - Executes dropped EXE
    PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  - Executes dropped EXE
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Executes dropped EXE
    PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5676
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5300
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Executes dropped EXE
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  - Executes dropped EXE
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  - Executes dropped EXE
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:2460
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  - Executes dropped EXE
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3060
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:5104
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  - Executes dropped EXE
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  - Executes dropped EXE
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  - Executes dropped EXE
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:312
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  - Executes dropped EXE
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Executes dropped EXE
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Executes dropped EXE
    PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:6076
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:5348
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:5824
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  - Executes dropped EXE
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3684
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  - Executes dropped EXE
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    - Executes dropped EXE
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    - Executes dropped EXE
    PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:3096
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  - Executes dropped EXE
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4364
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  - Executes dropped EXE
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:3972
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:1428
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    - Executes dropped EXE
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:5608
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  - Executes dropped EXE
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:2540
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  - Executes dropped EXE
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5916
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:3956
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5164
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  - Executes dropped EXE
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:2300
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  - Executes dropped EXE
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4344
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4044
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:5172
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:2704
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:5260
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:3536
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:2636
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:2744
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:5816
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:5020
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:5284
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:4192
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4596
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:2080
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:4100
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:5980
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:4088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:6048
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:4024
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4584
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:1892
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:2484
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:2704
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:6060
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:5320
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3784
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:3352
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:1360
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5284
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4612
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:5660
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5024
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:5368
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:1424
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4760
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:5692
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4100
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:5868
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:2408
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5524
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:3164
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5728
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4108
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:5860
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4972
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2636
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3524
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:5200
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1484
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:2548
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:5792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5292
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:2744
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:5076
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:3684
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:2740
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5496
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:4104
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4672
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:3640
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:3584
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:2012
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:5116
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:6048
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3336
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5600
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:1352
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:5092
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:3788
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:3456
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4012
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1756
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:1880
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:5220
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:5116
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4856
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4928
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:2256
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:5624
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:1604
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:540
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:468
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2544
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2032
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5016
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - Checks computer location settings
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:3472
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:3664
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2344
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4676
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:5880
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:2692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5536
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3448
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:3176
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5288
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:3100
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:3584
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:5016
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:1880
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:4984
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:4124
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:2224
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:5304
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:208
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\qfvllytfcrpehfnymu.exe"
      4⤵
      PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:1412
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:5160
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:4120
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3880
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4892
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:2908
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:3336
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe .
1⤵
PID:5660
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe .
  2⤵
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\tmfbuokawrhlktfudex.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:4988
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:5228
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siyrhyrexpcdzfoa.exe .
1⤵
PID:4644
- C:\Windows\siyrhyrexpcdzfoa.exe
  siyrhyrexpcdzfoa.exe .
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\siyrhyrexpcdzfoa.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:1360
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:3784
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3528
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5232
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:2280
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5336
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:2820
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:4948
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe .
1⤵
PID:5892
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe
1⤵
PID:112
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqljeayqoldjkvjalojec.exe .
1⤵
PID:5936
- C:\Windows\vqljeayqoldjkvjalojec.exe
  vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  2⤵
  PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:4988
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3664
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2852
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:2944
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:5804
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:3080
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3008
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:1676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3448
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:1796
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:3868
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3960
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:2008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2676
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2376
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:1444
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:3700
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:1412
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:5580
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:4968
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:4208
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe
1⤵
PID:1768
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5088
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqljeayqoldjkvjalojec.exe
1⤵
PID:3128
- C:\Windows\vqljeayqoldjkvjalojec.exe
  vqljeayqoldjkvjalojec.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqljeayqoldjkvjalojec.exe .
1⤵
PID:5796
- C:\Windows\vqljeayqoldjkvjalojec.exe
  vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siyrhyrexpcdzfoa.exe
1⤵
PID:6028
- C:\Windows\siyrhyrexpcdzfoa.exe
  siyrhyrexpcdzfoa.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe .
1⤵
PID:4700
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:1192
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:5668
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
1⤵
PID:3820
- C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:5620
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:3680
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:2296
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2580
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:2752
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:3248
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:2704
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:6048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:748
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2908
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:1672
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe .
1⤵
PID:3764
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe .
  2⤵
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:872
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:2740
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3468
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:5368
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:4444
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe .
1⤵
PID:5584
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe .
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\ofxprgdrqhhyddnaqakb.exe*."
    3⤵
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:1752
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe .
1⤵
PID:3864
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe .
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\tmfbuokawrhlktfudex.exe*."
    3⤵
    PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siyrhyrexpcdzfoa.exe
1⤵
PID:3228
- C:\Windows\siyrhyrexpcdzfoa.exe
  siyrhyrexpcdzfoa.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe .
1⤵
PID:5136
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:5532
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:2564
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:184
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:436
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5108
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  C:\Users\Admin\AppData\Local\Temp\ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe .
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:4456
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:4856
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe
1⤵
PID:4044
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvkzykeplzwkmjqan.exe .
1⤵
PID:4984
- C:\Windows\hvkzykeplzwkmjqan.exe
  hvkzykeplzwkmjqan.exe .
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\hvkzykeplzwkmjqan.exe*."
    3⤵
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:5540
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  C:\Users\Admin\AppData\Local\Temp\hvkzykeplzwkmjqan.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\brizaokxvlkaedmynwf.exe*."
    3⤵
    PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:5344
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:2580
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:740
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:4992
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
1⤵
PID:2744
- C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe
  C:\Users\Admin\AppData\Local\Temp\qfvllytfcrpehfnymu.exe .
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\qfvllytfcrpehfnymu.exe*."
    3⤵
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofxprgdrqhhyddnaqakb.exe
1⤵
PID:6088
- C:\Windows\ofxprgdrqhhyddnaqakb.exe
  ofxprgdrqhhyddnaqakb.exe
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:4452
- C:\Windows\dvohkaynnfgyefqevgrjc.exe
  dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe
1⤵
PID:4948
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c anbpnyrbwjfstpve.exe .
1⤵
PID:3944
- C:\Windows\anbpnyrbwjfstpve.exe
  anbpnyrbwjfstpve.exe .
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe
  C:\Users\Admin\AppData\Local\Temp\dvohkaynnfgyefqevgrjc.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\dvohkaynnfgyefqevgrjc.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  C:\Users\Admin\AppData\Local\Temp\brizaokxvlkaedmynwf.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe
  C:\Users\Admin\AppData\Local\Temp\anbpnyrbwjfstpve.exe .
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\anbpnyrbwjfstpve.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brizaokxvlkaedmynwf.exe
1⤵
PID:1144
- C:\Windows\brizaokxvlkaedmynwf.exe
  brizaokxvlkaedmynwf.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfvllytfcrpehfnymu.exe
1⤵
PID:1796
- C:\Windows\qfvllytfcrpehfnymu.exe
  qfvllytfcrpehfnymu.exe
  2⤵
  PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry