pykspa | 84372360b237f339d6a7e424e8b559baa05ef9a2b118c9f5527569ee8fb45dd1

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	sdqaokddcna.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00050000000229c8-4.dat	family_pykspa
behavioral2/files/0x0007000000024299-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "mdwkeaqjcqldxojmmt.exe"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "mdwkeaqjcqldxojmmt.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ozmuiyiviqfr = "kdyokiavqgdxtmjoqzgz.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dlvalyfpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sdqaokddcna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mdwkeaqjcqldxojmmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wlcogaofwibrjyrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kdyokiavqgdxtmjoqzgz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	xpjytqhbvkgzumimnvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ztpgdcvrnecxuomsvfnhd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dtlyrmbtlysjcsmon.exe

Executes dropped EXE 64 IoCs

pid	Process
5332	sdqaokddcna.exe
4660	kdyokiavqgdxtmjoqzgz.exe
5440	xpjytqhbvkgzumimnvb.exe
4184	sdqaokddcna.exe
4512	xpjytqhbvkgzumimnvb.exe
5576	dtlyrmbtlysjcsmon.exe
6128	xpjytqhbvkgzumimnvb.exe
4900	sdqaokddcna.exe
4568	xpjytqhbvkgzumimnvb.exe
2748	sdqaokddcna.exe
5304	xpjytqhbvkgzumimnvb.exe
1428	xpjytqhbvkgzumimnvb.exe
1520	sdqaokddcna.exe
3572	kpwygq.exe
3948	kpwygq.exe
1488	mdwkeaqjcqldxojmmt.exe
1468	ztpgdcvrnecxuomsvfnhd.exe
3888	dtlyrmbtlysjcsmon.exe
728	mdwkeaqjcqldxojmmt.exe
5464	sdqaokddcna.exe
2392	sdqaokddcna.exe
4636	ztpgdcvrnecxuomsvfnhd.exe
4720	dtlyrmbtlysjcsmon.exe
4860	ztpgdcvrnecxuomsvfnhd.exe
4188	dtlyrmbtlysjcsmon.exe
2652	mdwkeaqjcqldxojmmt.exe
1308	kdyokiavqgdxtmjoqzgz.exe
4936	mdwkeaqjcqldxojmmt.exe
3936	kdyokiavqgdxtmjoqzgz.exe
2920	sdqaokddcna.exe
1604	wlcogaofwibrjyrs.exe
2664	sdqaokddcna.exe
1764	sdqaokddcna.exe
3436	sdqaokddcna.exe
4272	dtlyrmbtlysjcsmon.exe
3992	dtlyrmbtlysjcsmon.exe
4608	dtlyrmbtlysjcsmon.exe
5144	dtlyrmbtlysjcsmon.exe
6124	xpjytqhbvkgzumimnvb.exe
4220	sdqaokddcna.exe
4064	kdyokiavqgdxtmjoqzgz.exe
3744	sdqaokddcna.exe
4144	mdwkeaqjcqldxojmmt.exe
2052	xpjytqhbvkgzumimnvb.exe
5248	sdqaokddcna.exe
5068	xpjytqhbvkgzumimnvb.exe
5696	sdqaokddcna.exe
4916	sdqaokddcna.exe
6072	wlcogaofwibrjyrs.exe
396	ztpgdcvrnecxuomsvfnhd.exe
4876	sdqaokddcna.exe
4852	xpjytqhbvkgzumimnvb.exe
3508	kdyokiavqgdxtmjoqzgz.exe
4948	sdqaokddcna.exe
1948	xpjytqhbvkgzumimnvb.exe
1660	mdwkeaqjcqldxojmmt.exe
5044	dtlyrmbtlysjcsmon.exe
6076	sdqaokddcna.exe
4248	xpjytqhbvkgzumimnvb.exe
6092	wlcogaofwibrjyrs.exe
1068	kdyokiavqgdxtmjoqzgz.exe
5216	sdqaokddcna.exe
2360	mdwkeaqjcqldxojmmt.exe
736	ztpgdcvrnecxuomsvfnhd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	kpwygq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	kpwygq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	kpwygq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	kpwygq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	kpwygq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	kpwygq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztpgdcvrnecxuomsvfnhd.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "xpjytqhbvkgzumimnvb.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "dtlyrmbtlysjcsmon.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "ztpgdcvrnecxuomsvfnhd.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "kdyokiavqgdxtmjoqzgz.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "xpjytqhbvkgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "wlcogaofwibrjyrs.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "ztpgdcvrnecxuomsvfnhd.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "mdwkeaqjcqldxojmmt.exe"	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "kdyokiavqgdxtmjoqzgz.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "mdwkeaqjcqldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "mdwkeaqjcqldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "ztpgdcvrnecxuomsvfnhd.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "wlcogaofwibrjyrs.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "dtlyrmbtlysjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "dtlyrmbtlysjcsmon.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "dtlyrmbtlysjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "dtlyrmbtlysjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpjytqhbvkgzumimnvb.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "dtlyrmbtlysjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "kdyokiavqgdxtmjoqzgz.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "mdwkeaqjcqldxojmmt.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "ztpgdcvrnecxuomsvfnhd.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "ztpgdcvrnecxuomsvfnhd.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nznwlcnbpyobq = "kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtlyrmbtlysjcsmon.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "ztpgdcvrnecxuomsvfnhd.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdwkeaqjcqldxojmmt.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlcogaofwibrjyrs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "ztpgdcvrnecxuomsvfnhd.exe"	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "dtlyrmbtlysjcsmon.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe ."	kpwygq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlcogaofwibrjyrs.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfvgxqdtjumbsgy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztpgdcvrnecxuomsvfnhd.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdyokiavqgdxtmjoqzgz.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\obqaqiujyizndq = "xpjytqhbvkgzumimnvb.exe ."	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfqwiwepag = "kdyokiavqgdxtmjoqzgz.exe"	sdqaokddcna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnuhwfrdky = "mdwkeaqjcqldxojmmt.exe ."	kpwygq.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kpwygq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	kpwygq.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	whatismyip.everdot.org
45	whatismyip.everdot.org
25	whatismyipaddress.com
27	www.whatismyip.ca
35	www.showmyipaddress.com
38	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	kpwygq.exe
File created	C:\Windows\SysWOW64\rfvgxqdtjumbsgyyvzbpfqhandtewlcqiifjl.par	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\rfvgxqdtjumbsgyyvzbpfqhandtewlcqiifjl.par	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wlcogaofwibrjyrs.exe	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\qtyyemotyyfjpszoatknssygin.szd	kpwygq.exe
File created	C:\Windows\SysWOW64\qtyyemotyyfjpszoatknssygin.szd	kpwygq.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\SysWOW64\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\qtyyemotyyfjpszoatknssygin.szd	kpwygq.exe
File created	C:\Program Files (x86)\qtyyemotyyfjpszoatknssygin.szd	kpwygq.exe
File opened for modification	C:\Program Files (x86)\rfvgxqdtjumbsgyyvzbpfqhandtewlcqiifjl.par	kpwygq.exe
File created	C:\Program Files (x86)\rfvgxqdtjumbsgyyvzbpfqhandtewlcqiifjl.par	kpwygq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	kpwygq.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	kpwygq.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	kpwygq.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	kpwygq.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	kpwygq.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\ztpgdcvrnecxuomsvfnhd.exe	sdqaokddcna.exe
File created	C:\Windows\rfvgxqdtjumbsgyyvzbpfqhandtewlcqiifjl.par	kpwygq.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\kdyokiavqgdxtmjoqzgz.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\mdwkeaqjcqldxojmmt.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\wlcogaofwibrjyrs.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\qliayyspmedzxsrycnwrog.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\xpjytqhbvkgzumimnvb.exe	sdqaokddcna.exe
File opened for modification	C:\Windows\dtlyrmbtlysjcsmon.exe	sdqaokddcna.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdqaokddcna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdwkeaqjcqldxojmmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpjytqhbvkgzumimnvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kpwygq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlcogaofwibrjyrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztpgdcvrnecxuomsvfnhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtlyrmbtlysjcsmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdyokiavqgdxtmjoqzgz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
3572	kpwygq.exe
3572	kpwygq.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
3572	kpwygq.exe
3572	kpwygq.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	kpwygq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 5332	2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe	89
PID 2132 wrote to memory of 5332	2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe	89
PID 2132 wrote to memory of 5332	2132	JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe	89
PID 4972 wrote to memory of 4660	4972	cmd.exe	92
PID 4972 wrote to memory of 4660	4972	cmd.exe	92
PID 4972 wrote to memory of 4660	4972	cmd.exe	92
PID 972 wrote to memory of 5440	972	cmd.exe	95
PID 972 wrote to memory of 5440	972	cmd.exe	95
PID 972 wrote to memory of 5440	972	cmd.exe	95
PID 5440 wrote to memory of 4184	5440	xpjytqhbvkgzumimnvb.exe	98
PID 5440 wrote to memory of 4184	5440	xpjytqhbvkgzumimnvb.exe	98
PID 5440 wrote to memory of 4184	5440	xpjytqhbvkgzumimnvb.exe	98
PID 940 wrote to memory of 4512	940	cmd.exe	99
PID 940 wrote to memory of 4512	940	cmd.exe	99
PID 940 wrote to memory of 4512	940	cmd.exe	99
PID 3148 wrote to memory of 5576	3148	cmd.exe	104
PID 3148 wrote to memory of 5576	3148	cmd.exe	104
PID 3148 wrote to memory of 5576	3148	cmd.exe	104
PID 5032 wrote to memory of 6128	5032	cmd.exe	107
PID 5032 wrote to memory of 6128	5032	cmd.exe	107
PID 5032 wrote to memory of 6128	5032	cmd.exe	107
PID 5576 wrote to memory of 4900	5576	dtlyrmbtlysjcsmon.exe	108
PID 5576 wrote to memory of 4900	5576	dtlyrmbtlysjcsmon.exe	108
PID 5576 wrote to memory of 4900	5576	dtlyrmbtlysjcsmon.exe	108
PID 6092 wrote to memory of 4568	6092	cmd.exe	109
PID 6092 wrote to memory of 4568	6092	cmd.exe	109
PID 6092 wrote to memory of 4568	6092	cmd.exe	109
PID 4568 wrote to memory of 2748	4568	xpjytqhbvkgzumimnvb.exe	112
PID 4568 wrote to memory of 2748	4568	xpjytqhbvkgzumimnvb.exe	112
PID 4568 wrote to memory of 2748	4568	xpjytqhbvkgzumimnvb.exe	112
PID 6028 wrote to memory of 5304	6028	cmd.exe	115
PID 6028 wrote to memory of 5304	6028	cmd.exe	115
PID 6028 wrote to memory of 5304	6028	cmd.exe	115
PID 4036 wrote to memory of 1428	4036	cmd.exe	116
PID 4036 wrote to memory of 1428	4036	cmd.exe	116
PID 4036 wrote to memory of 1428	4036	cmd.exe	116
PID 1428 wrote to memory of 1520	1428	xpjytqhbvkgzumimnvb.exe	306
PID 1428 wrote to memory of 1520	1428	xpjytqhbvkgzumimnvb.exe	306
PID 1428 wrote to memory of 1520	1428	xpjytqhbvkgzumimnvb.exe	306
PID 5332 wrote to memory of 3572	5332	sdqaokddcna.exe	120
PID 5332 wrote to memory of 3572	5332	sdqaokddcna.exe	120
PID 5332 wrote to memory of 3572	5332	sdqaokddcna.exe	120
PID 5332 wrote to memory of 3948	5332	sdqaokddcna.exe	121
PID 5332 wrote to memory of 3948	5332	sdqaokddcna.exe	121
PID 5332 wrote to memory of 3948	5332	sdqaokddcna.exe	121
PID 3644 wrote to memory of 1488	3644	cmd.exe	127
PID 3644 wrote to memory of 1488	3644	cmd.exe	127
PID 3644 wrote to memory of 1488	3644	cmd.exe	127
PID 4592 wrote to memory of 1468	4592	cmd.exe	283
PID 4592 wrote to memory of 1468	4592	cmd.exe	283
PID 4592 wrote to memory of 1468	4592	cmd.exe	283
PID 3452 wrote to memory of 3888	3452	cmd.exe	134
PID 3452 wrote to memory of 3888	3452	cmd.exe	134
PID 3452 wrote to memory of 3888	3452	cmd.exe	134
PID 1832 wrote to memory of 728	1832	cmd.exe	135
PID 1832 wrote to memory of 728	1832	cmd.exe	135
PID 1832 wrote to memory of 728	1832	cmd.exe	135
PID 3888 wrote to memory of 5464	3888	dtlyrmbtlysjcsmon.exe	144
PID 3888 wrote to memory of 5464	3888	dtlyrmbtlysjcsmon.exe	144
PID 3888 wrote to memory of 5464	3888	dtlyrmbtlysjcsmon.exe	144
PID 728 wrote to memory of 2392	728	mdwkeaqjcqldxojmmt.exe	145
PID 728 wrote to memory of 2392	728	mdwkeaqjcqldxojmmt.exe	145
PID 728 wrote to memory of 2392	728	mdwkeaqjcqldxojmmt.exe	145
PID 2396 wrote to memory of 4636	2396	cmd.exe	154

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	kpwygq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	kpwygq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sdqaokddcna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	sdqaokddcna.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	kpwygq.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
  "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_962dc67fe9d8c2f06aa18586ce6be0de.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\kpwygq.exe
    "C:\Users\Admin\AppData\Local\Temp\kpwygq.exe" "-C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\kpwygq.exe
    "C:\Users\Admin\AppData\Local\Temp\kpwygq.exe" "-C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:6092
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6028
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1636
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  - Executes dropped EXE
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:3584
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2136
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:5000
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5144
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:3740
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Executes dropped EXE
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Executes dropped EXE
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:2272
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  - Executes dropped EXE
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:1440
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  - Executes dropped EXE
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  - Executes dropped EXE
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:4660
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:5104
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    - Executes dropped EXE
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:5804
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4480
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Executes dropped EXE
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  - Executes dropped EXE
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:1212
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    - Executes dropped EXE
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:4004
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  - Executes dropped EXE
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4188
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  - Executes dropped EXE
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2064
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4524
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:684
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:3240
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:5424
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2656
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:2864
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:364
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6072
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:6096
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:4776
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4980
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:3636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1096
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4472
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:5236
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:5864
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:2660
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:2668
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4936
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5924
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:3020
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:3376
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:2300
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1212
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6076
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:2916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4968
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2004
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:3728
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:1956
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:5628
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:1612
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:4652
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:5440
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:3016
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2624
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:1564
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:2140
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:5544
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:6092
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:4196
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4492
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:5076
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2604
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:6084
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:1760
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:1660
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1636
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4480
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4028
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1084
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:5760
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5288
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4308
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:5644
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:3692
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:1188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:232
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:5448
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:1068
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:3672
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4016
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:5788
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5812
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:6068
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4612
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:1832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4764
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:5632
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:528
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:616
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5148
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:728
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  - Checks computer location settings
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:6116
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:5084
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  - Checks computer location settings
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:5316
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:1960
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  - Checks computer location settings
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4184
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:1476
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1152
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2668
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:1084
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3300
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:5648
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2412
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5836
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:3908
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:3952
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5204
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:5096
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:4368
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:4340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4860
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:3888
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:364
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:5032
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:5540
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5372
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:4636
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:2760
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:5700
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:5600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5856
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2216
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1288
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:2864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4360
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:3744
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:1780
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:5296
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:3604
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:6020
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4520
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:3312
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:4592
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4804
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1360
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:5280
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2884
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:5840
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:364
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:1404
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1172
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:1140
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:4476
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:1124
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:1824
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:5632
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4808
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4348
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5716
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:2928
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:5332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6084
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:2208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5516
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:4196
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4224
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:2272
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2908
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:1824
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe .
1⤵
PID:2036
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1944
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2516
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:6048
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:1716
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2176
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:2964
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:688
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:3992
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:6040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1512
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:5852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5992
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:916
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4892
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1488
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:2216
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:4588
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:2980
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:3624
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:1804
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:2772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1536
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:5924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1948
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:4772
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:2660
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:616
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:5052
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:3196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5372
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2004
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4220
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:1152
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4652
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:5456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1076
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:5760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:1804
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:4188
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:1640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1544
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:756
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:424
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2648
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:4976
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:3428
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
  2⤵
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\mdwkeaqjcqldxojmmt.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:2784
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1852
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:2732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1124
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5860
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:5056
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:1964
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:3760
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:1404
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:616
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:2648
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4976
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:4248
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:3428
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:3632
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:1852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4204
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:528
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\wlcogaofwibrjyrs.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:2516
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5696
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:364
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe
  C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  C:\Users\Admin\AppData\Local\Temp\wlcogaofwibrjyrs.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
  C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mdwkeaqjcqldxojmmt.exe
1⤵
PID:4420
- C:\Windows\mdwkeaqjcqldxojmmt.exe
  mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:4972
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe
1⤵
PID:6140
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe .
1⤵
PID:5072
- C:\Windows\xpjytqhbvkgzumimnvb.exe
  xpjytqhbvkgzumimnvb.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\xpjytqhbvkgzumimnvb.exe*."
    3⤵
    PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dtlyrmbtlysjcsmon.exe .
1⤵
PID:3380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2000
- C:\Windows\dtlyrmbtlysjcsmon.exe
  dtlyrmbtlysjcsmon.exe .
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\dtlyrmbtlysjcsmon.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:4668
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xpjytqhbvkgzumimnvb.exe
1⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe
1⤵
PID:4720
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe
1⤵
PID:2404
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2740
- C:\Windows\ztpgdcvrnecxuomsvfnhd.exe
  ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\ztpgdcvrnecxuomsvfnhd.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wlcogaofwibrjyrs.exe .
1⤵
PID:4492
- C:\Windows\wlcogaofwibrjyrs.exe
  wlcogaofwibrjyrs.exe .
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:3032
- C:\Windows\kdyokiavqgdxtmjoqzgz.exe
  kdyokiavqgdxtmjoqzgz.exe .
  2⤵
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe
    "C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\kdyokiavqgdxtmjoqzgz.exe*."
    3⤵
    PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe
1⤵
PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe .
1⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe
  C:\Users\Admin\AppData\Local\Temp\ztpgdcvrnecxuomsvfnhd.exe .
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe
1⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtlyrmbtlysjcsmon.exe
1⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdwkeaqjcqldxojmmt.exe .
1⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpjytqhbvkgzumimnvb.exe .
1⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdyokiavqgdxtmjoqzgz.exe .
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry