pykspa | 652e9328a0cf9053848fb72390ca8381e6c543a109932763caf4e60422779836

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vcmnxryrfmw.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdfsv.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00090000000227cb-4.dat	family_pykspa
behavioral2/files/0x0008000000024291-103.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "zlywkylduoapvkjv.exe"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "ctlohasplkbvgaevyvmeh.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npsgko = "pdssiynhawkbjabppj.exe"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdssiynhawkbjabppj.exe"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vcmnxryrfmw.exe

Disables RegEdit via registry modification 20 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	vcmnxryrfmw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	zlywkylduoapvkjv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	nduwogxtomcvfybrtpfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apfgxoeztqfxgyapqla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	pdssiynhawkbjabppj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ctlohasplkbvgaevyvmeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	gthgvkyrjerhoeerq.exe

Executes dropped EXE 64 IoCs

pid	Process
5044	vcmnxryrfmw.exe
3288	gthgvkyrjerhoeerq.exe
4988	gthgvkyrjerhoeerq.exe
5020	vcmnxryrfmw.exe
3580	apfgxoeztqfxgyapqla.exe
1608	apfgxoeztqfxgyapqla.exe
2464	zlywkylduoapvkjv.exe
3684	vcmnxryrfmw.exe
5756	ctlohasplkbvgaevyvmeh.exe
5232	vcmnxryrfmw.exe
4404	nduwogxtomcvfybrtpfw.exe
2612	nduwogxtomcvfybrtpfw.exe
3940	vcmnxryrfmw.exe
860	cdfsv.exe
5412	cdfsv.exe
5532	nduwogxtomcvfybrtpfw.exe
1248	apfgxoeztqfxgyapqla.exe
3272	pdssiynhawkbjabppj.exe
2280	nduwogxtomcvfybrtpfw.exe
4552	vcmnxryrfmw.exe
4816	zlywkylduoapvkjv.exe
4868	vcmnxryrfmw.exe
2208	gthgvkyrjerhoeerq.exe
3944	pdssiynhawkbjabppj.exe
4852	ctlohasplkbvgaevyvmeh.exe
4948	zlywkylduoapvkjv.exe
4780	vcmnxryrfmw.exe
1120	apfgxoeztqfxgyapqla.exe
920	vcmnxryrfmw.exe
776	vcmnxryrfmw.exe
4312	ctlohasplkbvgaevyvmeh.exe
2124	gthgvkyrjerhoeerq.exe
4716	ctlohasplkbvgaevyvmeh.exe
1728	nduwogxtomcvfybrtpfw.exe
3228	nduwogxtomcvfybrtpfw.exe
5384	gthgvkyrjerhoeerq.exe
1116	vcmnxryrfmw.exe
2260	vcmnxryrfmw.exe
6052	vcmnxryrfmw.exe
5168	pdssiynhawkbjabppj.exe
3248	zlywkylduoapvkjv.exe
4624	vcmnxryrfmw.exe
5540	apfgxoeztqfxgyapqla.exe
4340	zlywkylduoapvkjv.exe
1432	apfgxoeztqfxgyapqla.exe
4656	vcmnxryrfmw.exe
3936	nduwogxtomcvfybrtpfw.exe
5916	vcmnxryrfmw.exe
4820	apfgxoeztqfxgyapqla.exe
5060	nduwogxtomcvfybrtpfw.exe
2208	vcmnxryrfmw.exe
1064	nduwogxtomcvfybrtpfw.exe
1068	nduwogxtomcvfybrtpfw.exe
684	apfgxoeztqfxgyapqla.exe
5284	nduwogxtomcvfybrtpfw.exe
976	vcmnxryrfmw.exe
776	apfgxoeztqfxgyapqla.exe
212	pdssiynhawkbjabppj.exe
2804	nduwogxtomcvfybrtpfw.exe
2612	vcmnxryrfmw.exe
5560	vcmnxryrfmw.exe
4652	pdssiynhawkbjabppj.exe
2756	zlywkylduoapvkjv.exe
5892	nduwogxtomcvfybrtpfw.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cdfsv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cdfsv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cdfsv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cdfsv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cdfsv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cdfsv.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfmemubnym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "ctlohasplkbvgaevyvmeh.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "apfgxoeztqfxgyapqla.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "zlywkylduoapvkjv.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "apfgxoeztqfxgyapqla.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "apfgxoeztqfxgyapqla.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfmemubnym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "ctlohasplkbvgaevyvmeh.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "nduwogxtomcvfybrtpfw.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfmemubnym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "apfgxoeztqfxgyapqla.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfmemubnym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfmemubnym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "nduwogxtomcvfybrtpfw.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "zlywkylduoapvkjv.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "gthgvkyrjerhoeerq.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "ctlohasplkbvgaevyvmeh.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "apfgxoeztqfxgyapqla.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "apfgxoeztqfxgyapqla.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "pdssiynhawkbjabppj.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "pdssiynhawkbjabppj.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gthgvkyrjerhoeerq.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apfgxoeztqfxgyapqla.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlywkylduoapvkjv.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "apfgxoeztqfxgyapqla.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctlohasplkbvgaevyvmeh.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "zlywkylduoapvkjv.exe"	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glripwcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdssiynhawkbjabppj.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttug = "gthgvkyrjerhoeerq.exe"	cdfsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ptyouafp = "nduwogxtomcvfybrtpfw.exe ."	cdfsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdfsv = "apfgxoeztqfxgyapqla.exe ."	vcmnxryrfmw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhwbgk = "nduwogxtomcvfybrtpfw.exe"	vcmnxryrfmw.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdfsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdfsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vcmnxryrfmw.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vcmnxryrfmw.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	www.whatismyip.ca
49	www.whatismyip.ca
29	www.showmyipaddress.com
35	whatismyipaddress.com
40	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File created	C:\Windows\SysWOW64\qzjepakznenzcoktodmwrcnxmarampbxgbq.jep	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\ctlohasplkbvgaevyvmeh.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\tleicwpnkkcxjejbfdvosm.exe	cdfsv.exe
File created	C:\Windows\SysWOW64\hfeooonruayzrsdblpnmwwwv.cig	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\zlywkylduoapvkjv.exe	cdfsv.exe
File opened for modification	C:\Windows\SysWOW64\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\SysWOW64\nduwogxtomcvfybrtpfw.exe	cdfsv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hfeooonruayzrsdblpnmwwwv.cig	cdfsv.exe
File created	C:\Program Files (x86)\hfeooonruayzrsdblpnmwwwv.cig	cdfsv.exe
File opened for modification	C:\Program Files (x86)\qzjepakznenzcoktodmwrcnxmarampbxgbq.jep	cdfsv.exe
File created	C:\Program Files (x86)\qzjepakznenzcoktodmwrcnxmarampbxgbq.jep	cdfsv.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	cdfsv.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	cdfsv.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	cdfsv.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	cdfsv.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\gthgvkyrjerhoeerq.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	cdfsv.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\zlywkylduoapvkjv.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\pdssiynhawkbjabppj.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\qzjepakznenzcoktodmwrcnxmarampbxgbq.jep	cdfsv.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\tleicwpnkkcxjejbfdvosm.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\apfgxoeztqfxgyapqla.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\nduwogxtomcvfybrtpfw.exe	vcmnxryrfmw.exe
File opened for modification	C:\Windows\ctlohasplkbvgaevyvmeh.exe	vcmnxryrfmw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdfsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zlywkylduoapvkjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gthgvkyrjerhoeerq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfgxoeztqfxgyapqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nduwogxtomcvfybrtpfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctlohasplkbvgaevyvmeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdssiynhawkbjabppj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
860	cdfsv.exe
860	cdfsv.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
860	cdfsv.exe
860	cdfsv.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	cdfsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 5044	2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe	91
PID 2452 wrote to memory of 5044	2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe	91
PID 2452 wrote to memory of 5044	2452	JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe	91
PID 4856 wrote to memory of 3288	4856	cmd.exe	94
PID 4856 wrote to memory of 3288	4856	cmd.exe	94
PID 4856 wrote to memory of 3288	4856	cmd.exe	94
PID 1968 wrote to memory of 4988	1968	cmd.exe	98
PID 1968 wrote to memory of 4988	1968	cmd.exe	98
PID 1968 wrote to memory of 4988	1968	cmd.exe	98
PID 4988 wrote to memory of 5020	4988	gthgvkyrjerhoeerq.exe	100
PID 4988 wrote to memory of 5020	4988	gthgvkyrjerhoeerq.exe	100
PID 4988 wrote to memory of 5020	4988	gthgvkyrjerhoeerq.exe	100
PID 4608 wrote to memory of 3580	4608	cmd.exe	105
PID 4608 wrote to memory of 3580	4608	cmd.exe	105
PID 4608 wrote to memory of 3580	4608	cmd.exe	105
PID 3016 wrote to memory of 1608	3016	cmd.exe	108
PID 3016 wrote to memory of 1608	3016	cmd.exe	108
PID 3016 wrote to memory of 1608	3016	cmd.exe	108
PID 4792 wrote to memory of 2464	4792	cmd.exe	111
PID 4792 wrote to memory of 2464	4792	cmd.exe	111
PID 4792 wrote to memory of 2464	4792	cmd.exe	111
PID 1608 wrote to memory of 3684	1608	apfgxoeztqfxgyapqla.exe	112
PID 1608 wrote to memory of 3684	1608	apfgxoeztqfxgyapqla.exe	112
PID 1608 wrote to memory of 3684	1608	apfgxoeztqfxgyapqla.exe	112
PID 776 wrote to memory of 5756	776	cmd.exe	113
PID 776 wrote to memory of 5756	776	cmd.exe	113
PID 776 wrote to memory of 5756	776	cmd.exe	113
PID 5756 wrote to memory of 5232	5756	ctlohasplkbvgaevyvmeh.exe	116
PID 5756 wrote to memory of 5232	5756	ctlohasplkbvgaevyvmeh.exe	116
PID 5756 wrote to memory of 5232	5756	ctlohasplkbvgaevyvmeh.exe	116
PID 5384 wrote to memory of 4404	5384	cmd.exe	117
PID 5384 wrote to memory of 4404	5384	cmd.exe	117
PID 5384 wrote to memory of 4404	5384	cmd.exe	117
PID 4028 wrote to memory of 2612	4028	cmd.exe	120
PID 4028 wrote to memory of 2612	4028	cmd.exe	120
PID 4028 wrote to memory of 2612	4028	cmd.exe	120
PID 2612 wrote to memory of 3940	2612	nduwogxtomcvfybrtpfw.exe	121
PID 2612 wrote to memory of 3940	2612	nduwogxtomcvfybrtpfw.exe	121
PID 2612 wrote to memory of 3940	2612	nduwogxtomcvfybrtpfw.exe	121
PID 5044 wrote to memory of 860	5044	vcmnxryrfmw.exe	122
PID 5044 wrote to memory of 860	5044	vcmnxryrfmw.exe	122
PID 5044 wrote to memory of 860	5044	vcmnxryrfmw.exe	122
PID 5044 wrote to memory of 5412	5044	vcmnxryrfmw.exe	123
PID 5044 wrote to memory of 5412	5044	vcmnxryrfmw.exe	123
PID 5044 wrote to memory of 5412	5044	vcmnxryrfmw.exe	123
PID 4336 wrote to memory of 5532	4336	cmd.exe	129
PID 4336 wrote to memory of 5532	4336	cmd.exe	129
PID 4336 wrote to memory of 5532	4336	cmd.exe	129
PID 3988 wrote to memory of 1248	3988	cmd.exe	196
PID 3988 wrote to memory of 1248	3988	cmd.exe	196
PID 3988 wrote to memory of 1248	3988	cmd.exe	196
PID 1696 wrote to memory of 3272	1696	cmd.exe	283
PID 1696 wrote to memory of 3272	1696	cmd.exe	283
PID 1696 wrote to memory of 3272	1696	cmd.exe	283
PID 400 wrote to memory of 2280	400	cmd.exe	140
PID 400 wrote to memory of 2280	400	cmd.exe	140
PID 400 wrote to memory of 2280	400	cmd.exe	140
PID 3272 wrote to memory of 4552	3272	pdssiynhawkbjabppj.exe	333
PID 3272 wrote to memory of 4552	3272	pdssiynhawkbjabppj.exe	333
PID 3272 wrote to memory of 4552	3272	pdssiynhawkbjabppj.exe	333
PID 4280 wrote to memory of 4816	4280	cmd.exe	154
PID 4280 wrote to memory of 4816	4280	cmd.exe	154
PID 4280 wrote to memory of 4816	4280	cmd.exe	154
PID 2280 wrote to memory of 4868	2280	nduwogxtomcvfybrtpfw.exe	155

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cdfsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vcmnxryrfmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vcmnxryrfmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdfsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cdfsv.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9759f528df016abbf34917f4c3f0bce8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
  "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_9759f528df016abbf34917f4c3f0bce8.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\cdfsv.exe
    "C:\Users\Admin\AppData\Local\Temp\cdfsv.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9759f528df016abbf34917f4c3f0bce8.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\cdfsv.exe
    "C:\Users\Admin\AppData\Local\Temp\cdfsv.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9759f528df016abbf34917f4c3f0bce8.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  - Executes dropped EXE
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    - Executes dropped EXE
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Executes dropped EXE
    PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  - Executes dropped EXE
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    - Executes dropped EXE
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5384
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5304
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:5196
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  - Executes dropped EXE
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:6048
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    - Executes dropped EXE
    PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  - Executes dropped EXE
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  - Executes dropped EXE
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    - Executes dropped EXE
    PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Executes dropped EXE
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  - Executes dropped EXE
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    - Executes dropped EXE
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:1168
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  - Executes dropped EXE
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:4628
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    - Executes dropped EXE
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:2484
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:5720
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    - Executes dropped EXE
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:5248
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:5464
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:3904
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:6024
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:3308
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  - Executes dropped EXE
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:1388
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:5304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1120
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Executes dropped EXE
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:4844
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:3980
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:2588
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  - Executes dropped EXE
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4744
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4324
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:6088
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:5044
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:4680
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:5196
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:3308
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3264
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:2104
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:1480
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:4552
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:4232
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:652
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:1064
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:4372
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:3012
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:2900
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:1116
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4608
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:5524
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:2472
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4924
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:552
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5856
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4140
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4680
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:3528
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4712
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4808
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:1604
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:640
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:4544
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:3944
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:228
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3480
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:3688
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5840
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5740
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4892
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:5044
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:392
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:2804
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:5000
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:4508
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:4456
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:3240
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:5916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  - Checks computer location settings
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:4836
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:2244
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:1072
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5524
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:5656
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5356
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:1116
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:5512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2804
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:1276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4768
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:3328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:1968
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:548
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4876
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:4920
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:5004
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:984
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:3180
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5636
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:3428
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:1692
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:3836
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:3892
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:5996
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:5440
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:4736
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:5684
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:5904
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:4040
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4948
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4620
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:1372
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:2076
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:4920
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:1580
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2524
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4804
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:336
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3396
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:1444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4864
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:4028
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5492
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:4516
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:2404
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:5848
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:3480
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:2280
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:1728
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3824
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:4492
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:3936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4644
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4444
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:6076
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:1844
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:3256
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:744
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:3632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3484
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:5916
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:4772
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:3380
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:3288
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5604
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:2856
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:2848
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:404
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5952
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:1676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3744
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5264
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:3836
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4112
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:2324
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:4944
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:6056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3008
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:1112
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:3288
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:1620
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:3076
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:2904
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:5372
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4796
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:228
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:1008
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5380
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:4012
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:1748
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:448
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:2260
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:512
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:3580
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:3160
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:2676
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:5056
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:4668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4796
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:228
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:5080
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4148
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4100
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:1960
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:2656
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe .
1⤵
PID:1432
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:5432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:3680
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:3436
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4768
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:552
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:3684
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:400
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4700
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:4404
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:1952
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe .
1⤵
PID:1692
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\zlywkylduoapvkjv.exe*."
    3⤵
    PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3008
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:1412
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zlywkylduoapvkjv.exe
1⤵
PID:3176
- C:\Windows\zlywkylduoapvkjv.exe
  zlywkylduoapvkjv.exe
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:1020
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:5304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:716
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:4040
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:552
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:1564
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4400
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:5264
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
1⤵
PID:3836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe
  C:\Users\Admin\AppData\Local\Temp\nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:2336
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:1936
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:4644
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:696
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2520
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:2328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1100
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:6000
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apfgxoeztqfxgyapqla.exe
1⤵
PID:6052
- C:\Windows\apfgxoeztqfxgyapqla.exe
  apfgxoeztqfxgyapqla.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:3644
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:1832
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:5948
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe
1⤵
PID:5304
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:2604
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  C:\Users\Admin\AppData\Local\Temp\ctlohasplkbvgaevyvmeh.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:4608
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe .
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:1948
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:3256
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctlohasplkbvgaevyvmeh.exe .
1⤵
PID:4812
- C:\Windows\ctlohasplkbvgaevyvmeh.exe
  ctlohasplkbvgaevyvmeh.exe .
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\ctlohasplkbvgaevyvmeh.exe*."
    3⤵
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:392
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:5824
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
1⤵
PID:4024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe
  C:\Users\Admin\AppData\Local\Temp\zlywkylduoapvkjv.exe .
  2⤵
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\zlywkylduoapvkjv.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  C:\Users\Admin\AppData\Local\Temp\pdssiynhawkbjabppj.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe
1⤵
PID:4404
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:2260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:1692
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe
1⤵
PID:5200
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nduwogxtomcvfybrtpfw.exe .
1⤵
PID:684
- C:\Windows\nduwogxtomcvfybrtpfw.exe
  nduwogxtomcvfybrtpfw.exe .
  2⤵
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\nduwogxtomcvfybrtpfw.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe
  C:\Users\Admin\AppData\Local\Temp\apfgxoeztqfxgyapqla.exe .
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\apfgxoeztqfxgyapqla.exe*."
    3⤵
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe
  C:\Users\Admin\AppData\Local\Temp\gthgvkyrjerhoeerq.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\users\admin\appdata\local\temp\gthgvkyrjerhoeerq.exe*."
    3⤵
    PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:64
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdssiynhawkbjabppj.exe .
1⤵
PID:4696
- C:\Windows\pdssiynhawkbjabppj.exe
  pdssiynhawkbjabppj.exe .
  2⤵
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe
    "C:\Users\Admin\AppData\Local\Temp\vcmnxryrfmw.exe" "c:\windows\pdssiynhawkbjabppj.exe*."
    3⤵
    PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe
1⤵
PID:4524
- C:\Windows\gthgvkyrjerhoeerq.exe
  gthgvkyrjerhoeerq.exe
  2⤵
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gthgvkyrjerhoeerq.exe .
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry