pykspa | a6afc8a42ff96ee7f475419b54cf84f7ac1296c7cfbea713ab6886fb5a387e29

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cgmvvkl.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0036000000023f70-4.dat	family_pykspa
behavioral2/files/0x000a00000002412c-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "bodvecmcqkjpjemw.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "iwmfpozqfaahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "cskfrsfypmoxusdqllg.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "rgxrccogwstbxueqkj.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "bodvecmcqkjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "iwmfpozqfaahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "bodvecmcqkjpjemw.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe"	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "ewqnbetohgkvuuhwtvske.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "iwmfpozqfaahcyhsl.exe"	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxfes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowhjadmt = "rgxrccogwstbxueqkj.exe"	cgmvvkl.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ewqnbetohgkvuuhwtvske.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rgxrccogwstbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bodvecmcqkjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	iwmfpozqfaahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cskfrsfypmoxusdqllg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgzvikyskilvtsesoplc.exe

Executes dropped EXE 64 IoCs

pid	Process
3756	abqgjobtkla.exe
2492	pgzvikyskilvtsesoplc.exe
4880	rgxrccogwstbxueqkj.exe
2628	ewqnbetohgkvuuhwtvske.exe
5052	abqgjobtkla.exe
4720	rgxrccogwstbxueqkj.exe
1252	cskfrsfypmoxusdqllg.exe
1068	abqgjobtkla.exe
3200	ewqnbetohgkvuuhwtvske.exe
2876	abqgjobtkla.exe
3108	cskfrsfypmoxusdqllg.exe
3012	iwmfpozqfaahcyhsl.exe
4160	abqgjobtkla.exe
4864	cgmvvkl.exe
1180	cgmvvkl.exe
4168	iwmfpozqfaahcyhsl.exe
1276	cskfrsfypmoxusdqllg.exe
2844	bodvecmcqkjpjemw.exe
1464	ewqnbetohgkvuuhwtvske.exe
512	abqgjobtkla.exe
536	abqgjobtkla.exe
4536	bodvecmcqkjpjemw.exe
4804	bodvecmcqkjpjemw.exe
3164	pgzvikyskilvtsesoplc.exe
4792	iwmfpozqfaahcyhsl.exe
1428	iwmfpozqfaahcyhsl.exe
4272	iwmfpozqfaahcyhsl.exe
1416	cskfrsfypmoxusdqllg.exe
4032	pgzvikyskilvtsesoplc.exe
2036	cskfrsfypmoxusdqllg.exe
4632	abqgjobtkla.exe
4980	pgzvikyskilvtsesoplc.exe
3636	abqgjobtkla.exe
4848	abqgjobtkla.exe
2360	bodvecmcqkjpjemw.exe
2412	abqgjobtkla.exe
4260	cskfrsfypmoxusdqllg.exe
4776	ewqnbetohgkvuuhwtvske.exe
1936	cskfrsfypmoxusdqllg.exe
5088	abqgjobtkla.exe
1012	abqgjobtkla.exe
4804	rgxrccogwstbxueqkj.exe
2652	abqgjobtkla.exe
5012	rgxrccogwstbxueqkj.exe
3704	rgxrccogwstbxueqkj.exe
5052	abqgjobtkla.exe
3756	bodvecmcqkjpjemw.exe
4848	abqgjobtkla.exe
3772	cskfrsfypmoxusdqllg.exe
4260	rgxrccogwstbxueqkj.exe
640	abqgjobtkla.exe
3564	rgxrccogwstbxueqkj.exe
1700	cskfrsfypmoxusdqllg.exe
3652	abqgjobtkla.exe
364	bodvecmcqkjpjemw.exe
736	rgxrccogwstbxueqkj.exe
4676	pgzvikyskilvtsesoplc.exe
4552	pgzvikyskilvtsesoplc.exe
1464	rgxrccogwstbxueqkj.exe
2904	cskfrsfypmoxusdqllg.exe
1856	abqgjobtkla.exe
2412	bodvecmcqkjpjemw.exe
2280	abqgjobtkla.exe
4488	ewqnbetohgkvuuhwtvske.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cgmvvkl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cgmvvkl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cgmvvkl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cgmvvkl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cgmvvkl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cgmvvkl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "iwmfpozqfaahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "cskfrsfypmoxusdqllg.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "bodvecmcqkjpjemw.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "cskfrsfypmoxusdqllg.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birdgycmui = "bodvecmcqkjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "ewqnbetohgkvuuhwtvske.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "rgxrccogwstbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "iwmfpozqfaahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "ewqnbetohgkvuuhwtvske.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birdgycmui = "cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "cskfrsfypmoxusdqllg.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scodjelyjawzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "cskfrsfypmoxusdqllg.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "rgxrccogwstbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "cskfrsfypmoxusdqllg.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "rgxrccogwstbxueqkj.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "cskfrsfypmoxusdqllg.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birdgycmui = "ewqnbetohgkvuuhwtvske.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scodjelyjawzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqnbetohgkvuuhwtvske.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scodjelyjawzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "pgzvikyskilvtsesoplc.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "cskfrsfypmoxusdqllg.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birdgycmui = "rgxrccogwstbxueqkj.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmfpozqfaahcyhsl.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskfrsfypmoxusdqllg.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scodjelyjawzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxrccogwstbxueqkj.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birdgycmui = "pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scodjelyjawzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe"	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "rgxrccogwstbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weobfydoxmg = "bodvecmcqkjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnbgagscsnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgzvikyskilvtsesoplc.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdnoego = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodvecmcqkjpjemw.exe ."	cgmvvkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmvvkl = "pgzvikyskilvtsesoplc.exe"	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cgmvvkl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cgmvvkl.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	whatismyip.everdot.org
28	www.showmyipaddress.com
30	whatismyipaddress.com
35	www.whatismyip.ca
43	www.whatismyip.ca
47	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	cgmvvkl.exe
File created	C:\Windows\SysWOW64\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgzvikyskilvtsesoplc.exe	cgmvvkl.exe
File created	C:\Windows\SysWOW64\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File opened for modification	C:\Windows\SysWOW64\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File created	C:\Program Files (x86)\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File opened for modification	C:\Program Files (x86)\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe
File created	C:\Program Files (x86)\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	cgmvvkl.exe
File created	C:\Windows\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	cgmvvkl.exe
File opened for modification	C:\Windows\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\geehbkfgfkulqwpknvywwzt.xyx	cgmvvkl.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	cgmvvkl.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	cgmvvkl.exe
File created	C:\Windows\tcnbgagscsnpfwagunbkvjoioakavxneio.vjs	cgmvvkl.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	cgmvvkl.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\iwmfpozqfaahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	cgmvvkl.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	cgmvvkl.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgzvikyskilvtsesoplc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vojhwaqmgglxxymcadbupn.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bodvecmcqkjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ewqnbetohgkvuuhwtvske.exe	cgmvvkl.exe
File opened for modification	C:\Windows\rgxrccogwstbxueqkj.exe	cgmvvkl.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	cgmvvkl.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cskfrsfypmoxusdqllg.exe	abqgjobtkla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgmvvkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewqnbetohgkvuuhwtvske.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwmfpozqfaahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgzvikyskilvtsesoplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgxrccogwstbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cskfrsfypmoxusdqllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodvecmcqkjpjemw.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4864	cgmvvkl.exe
4864	cgmvvkl.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4864	cgmvvkl.exe
4864	cgmvvkl.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	cgmvvkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3756	4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe	91
PID 4640 wrote to memory of 3756	4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe	91
PID 4640 wrote to memory of 3756	4640	JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe	91
PID 1404 wrote to memory of 2492	1404	cmd.exe	94
PID 1404 wrote to memory of 2492	1404	cmd.exe	94
PID 1404 wrote to memory of 2492	1404	cmd.exe	94
PID 1396 wrote to memory of 4880	1396	cmd.exe	97
PID 1396 wrote to memory of 4880	1396	cmd.exe	97
PID 1396 wrote to memory of 4880	1396	cmd.exe	97
PID 1320 wrote to memory of 2628	1320	cmd.exe	102
PID 1320 wrote to memory of 2628	1320	cmd.exe	102
PID 1320 wrote to memory of 2628	1320	cmd.exe	102
PID 4880 wrote to memory of 5052	4880	rgxrccogwstbxueqkj.exe	200
PID 4880 wrote to memory of 5052	4880	rgxrccogwstbxueqkj.exe	200
PID 4880 wrote to memory of 5052	4880	rgxrccogwstbxueqkj.exe	200
PID 2900 wrote to memory of 4720	2900	cmd.exe	106
PID 2900 wrote to memory of 4720	2900	cmd.exe	106
PID 2900 wrote to memory of 4720	2900	cmd.exe	106
PID 2704 wrote to memory of 1252	2704	cmd.exe	109
PID 2704 wrote to memory of 1252	2704	cmd.exe	109
PID 2704 wrote to memory of 1252	2704	cmd.exe	109
PID 4720 wrote to memory of 1068	4720	rgxrccogwstbxueqkj.exe	110
PID 4720 wrote to memory of 1068	4720	rgxrccogwstbxueqkj.exe	110
PID 4720 wrote to memory of 1068	4720	rgxrccogwstbxueqkj.exe	110
PID 4980 wrote to memory of 3200	4980	cmd.exe	111
PID 4980 wrote to memory of 3200	4980	cmd.exe	111
PID 4980 wrote to memory of 3200	4980	cmd.exe	111
PID 3200 wrote to memory of 2876	3200	ewqnbetohgkvuuhwtvske.exe	114
PID 3200 wrote to memory of 2876	3200	ewqnbetohgkvuuhwtvske.exe	114
PID 3200 wrote to memory of 2876	3200	ewqnbetohgkvuuhwtvske.exe	114
PID 1528 wrote to memory of 3108	1528	cmd.exe	117
PID 1528 wrote to memory of 3108	1528	cmd.exe	117
PID 1528 wrote to memory of 3108	1528	cmd.exe	117
PID 3268 wrote to memory of 3012	3268	cmd.exe	118
PID 3268 wrote to memory of 3012	3268	cmd.exe	118
PID 3268 wrote to memory of 3012	3268	cmd.exe	118
PID 3012 wrote to memory of 4160	3012	iwmfpozqfaahcyhsl.exe	177
PID 3012 wrote to memory of 4160	3012	iwmfpozqfaahcyhsl.exe	177
PID 3012 wrote to memory of 4160	3012	iwmfpozqfaahcyhsl.exe	177
PID 3756 wrote to memory of 4864	3756	abqgjobtkla.exe	122
PID 3756 wrote to memory of 4864	3756	abqgjobtkla.exe	122
PID 3756 wrote to memory of 4864	3756	abqgjobtkla.exe	122
PID 3756 wrote to memory of 1180	3756	abqgjobtkla.exe	123
PID 3756 wrote to memory of 1180	3756	abqgjobtkla.exe	123
PID 3756 wrote to memory of 1180	3756	abqgjobtkla.exe	123
PID 808 wrote to memory of 4168	808	cmd.exe	304
PID 808 wrote to memory of 4168	808	cmd.exe	304
PID 808 wrote to memory of 4168	808	cmd.exe	304
PID 1888 wrote to memory of 1276	1888	cmd.exe	312
PID 1888 wrote to memory of 1276	1888	cmd.exe	312
PID 1888 wrote to memory of 1276	1888	cmd.exe	312
PID 1912 wrote to memory of 2844	1912	cmd.exe	219
PID 1912 wrote to memory of 2844	1912	cmd.exe	219
PID 1912 wrote to memory of 2844	1912	cmd.exe	219
PID 4848 wrote to memory of 1464	4848	cmd.exe	238
PID 4848 wrote to memory of 1464	4848	cmd.exe	238
PID 4848 wrote to memory of 1464	4848	cmd.exe	238
PID 2844 wrote to memory of 512	2844	bodvecmcqkjpjemw.exe	154
PID 2844 wrote to memory of 512	2844	bodvecmcqkjpjemw.exe	154
PID 2844 wrote to memory of 512	2844	bodvecmcqkjpjemw.exe	154
PID 1464 wrote to memory of 536	1464	ewqnbetohgkvuuhwtvske.exe	155
PID 1464 wrote to memory of 536	1464	ewqnbetohgkvuuhwtvske.exe	155
PID 1464 wrote to memory of 536	1464	ewqnbetohgkvuuhwtvske.exe	155
PID 5016 wrote to memory of 4536	5016	cmd.exe	372

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cgmvvkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cgmvvkl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89d19bf090f579e04d66ee3035fe64dd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_89d19bf090f579e04d66ee3035fe64dd.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\cgmvvkl.exe
    "C:\Users\Admin\AppData\Local\Temp\cgmvvkl.exe" "-C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\cgmvvkl.exe
    "C:\Users\Admin\AppData\Local\Temp\cgmvvkl.exe" "-C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    - Executes dropped EXE
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    - Executes dropped EXE
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5012
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  - Executes dropped EXE
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:3888
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:1320
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    - Executes dropped EXE
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  - Executes dropped EXE
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    - Executes dropped EXE
    PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    - Executes dropped EXE
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:1784
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:4160
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    - Executes dropped EXE
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:1240
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:3172
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  - Executes dropped EXE
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:2872
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:2088
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    - Executes dropped EXE
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:1480
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2844
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:3964
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  - Executes dropped EXE
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:4936
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:2700
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4804
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  - Executes dropped EXE
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:4840
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:2804
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:3184
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:5064
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:3636
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:3736
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:3036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4272
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:2960
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:3032
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:2984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4168
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:4044
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:4024
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:2652
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:396
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4676
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:4168
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1480
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:3200
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:3564
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:1528
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:3736
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:364
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:4632
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1460
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:1188
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:2296
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:2424
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:4856
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4960
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:3208
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1460
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:4780
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:4396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:1536
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:3320
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:380
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2716
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:1756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4484
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:2804
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:3232
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1464
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:2052
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:2636
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5048
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:396
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:4244
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:2312
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:2876
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:3848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4272
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:264
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:4668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1592
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:1576
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:3928
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:3020
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4652
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:1772
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:2652
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:808
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:408
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:2388
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5100
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:4160
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1124
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:2596

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1276
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:2116
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4488
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:2944
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:4816
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4056
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:1824
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:4964

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:1080
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:2840
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1464
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:3736
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:5052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2280
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:4168
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4676
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4656
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:1772
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:2704
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:3268
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:1240
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4288
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:812
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:2420
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:4272
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:2184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5272
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5460
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:5596
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5668
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5796
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:408
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:4148
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:5268
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:4524
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4884
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:4316
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5328
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:5364
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4896
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1164
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4684
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:4476
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4936
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:5436
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5660
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:380
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:4572
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:5540
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:700
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:5864
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe
1⤵
PID:5048
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:5784
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:3864
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:804
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:2284
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:5208
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:2844
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:5188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1772
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:3900
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:2692
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:264
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4804
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:5696
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:5464
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:5576
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:1956
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:5680
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:6028
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:5140
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:5376
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:5260
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe
1⤵
PID:1644
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:1412
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:5984
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:5748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1880
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:5692
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:5132
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:3172
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:1796
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:64
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:2644
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5360
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:5564
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:380
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:392
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:6088
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:408
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:5420
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5312
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1728
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:5220
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:5488
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5648
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:5448
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:5748
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:5940
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:844
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4148
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:5932
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:3124
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5984
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5124
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:6076
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:4704
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:916
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:5644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1576
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:5884
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:1320
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:5404
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:1744
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:1820
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:1464
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe .
1⤵
PID:4252
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe .
  2⤵
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\iwmfpozqfaahcyhsl.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:6040
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:2844
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5152
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe
1⤵
PID:5724
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:6116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1164
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:5132
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe
1⤵
PID:5820
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:1532
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:3320
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe .
1⤵
PID:4256
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe .
  2⤵
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\amyunzsczijpjemw.exe*."
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  2⤵
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe
  C:\Users\Admin\AppData\Local\Temp\cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
1⤵
PID:5456
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe .
  2⤵
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:5212
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe
1⤵
PID:5924
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:3540
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe
1⤵
PID:3020
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe .
1⤵
PID:5804
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  2⤵
  PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5720
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:392
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:4784
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5252
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\bodvecmcqkjpjemw.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5488
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgxrccogwstbxueqkj.exe
1⤵
PID:1396
- C:\Windows\rgxrccogwstbxueqkj.exe
  rgxrccogwstbxueqkj.exe
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bodvecmcqkjpjemw.exe .
1⤵
PID:64
- C:\Windows\bodvecmcqkjpjemw.exe
  bodvecmcqkjpjemw.exe .
  2⤵
  PID:5940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bodvecmcqkjpjemw.exe*."
    3⤵
    PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe
1⤵
PID:5904
- C:\Windows\pgzvikyskilvtsesoplc.exe
  pgzvikyskilvtsesoplc.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cskfrsfypmoxusdqllg.exe .
1⤵
PID:4656
- C:\Windows\cskfrsfypmoxusdqllg.exe
  cskfrsfypmoxusdqllg.exe .
  2⤵
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cskfrsfypmoxusdqllg.exe*."
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe
  C:\Users\Admin\AppData\Local\Temp\pgzvikyskilvtsesoplc.exe .
  2⤵
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgzvikyskilvtsesoplc.exe*."
    3⤵
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\rgxrccogwstbxueqkj.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\rgxrccogwstbxueqkj.exe*."
    3⤵
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:5180
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewqnbetohgkvuuhwtvske.exe .
1⤵
PID:5992
- C:\Windows\ewqnbetohgkvuuhwtvske.exe
  ewqnbetohgkvuuhwtvske.exe .
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ewqnbetohgkvuuhwtvske.exe*."
    3⤵
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwmfpozqfaahcyhsl.exe
1⤵
PID:4536
- C:\Windows\iwmfpozqfaahcyhsl.exe
  iwmfpozqfaahcyhsl.exe
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgzvikyskilvtsesoplc.exe .
1⤵
PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewqnbetohgkvuuhwtvske.exe
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry