pykspa | 9f1ca7fd043142e1a40113229b8764d993123647a3ea9ada7ca338f67325020e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 23 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000700000002358a-4.dat	family_pykspa
behavioral2/files/0x000400000001e728-80.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "jbblcasjcpohocmrnu.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "arqzpmdtlxvntgpto.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "jbblcasjcpohocmrnu.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "wruhbcxrndfblcpxwgkfi.exe"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "wruhbcxrndfblcpxwgkfi.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnbzeq = "hbdpiicvqfgbkamtradx.exe"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
59	2340	Process not Found
62	2340	Process not Found
67	2340	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	vhhorpeefrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	unozrqjbvjjdlalrowy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	tjhpeaqfwhevamux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	hbdpiicvqfgbkamtradx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wruhbcxrndfblcpxwgkfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	arqzpmdtlxvntgpto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	jbblcasjcpohocmrnu.exe

Executes dropped EXE 64 IoCs

pid	Process
5252	vhhorpeefrr.exe
3980	wruhbcxrndfblcpxwgkfi.exe
5768	jbblcasjcpohocmrnu.exe
3948	vhhorpeefrr.exe
6072	wruhbcxrndfblcpxwgkfi.exe
3240	hbdpiicvqfgbkamtradx.exe
5836	wruhbcxrndfblcpxwgkfi.exe
4892	vhhorpeefrr.exe
392	wruhbcxrndfblcpxwgkfi.exe
4444	wruhbcxrndfblcpxwgkfi.exe
1272	vhhorpeefrr.exe
3148	wruhbcxrndfblcpxwgkfi.exe
1172	vhhorpeefrr.exe
1692	hnbzeq.exe
5208	hnbzeq.exe
4796	hbdpiicvqfgbkamtradx.exe
3664	jbblcasjcpohocmrnu.exe
3880	jbblcasjcpohocmrnu.exe
2860	unozrqjbvjjdlalrowy.exe
4440	vhhorpeefrr.exe
6048	vhhorpeefrr.exe
3760	arqzpmdtlxvntgpto.exe
3936	arqzpmdtlxvntgpto.exe
4840	arqzpmdtlxvntgpto.exe
6064	wruhbcxrndfblcpxwgkfi.exe
5032	unozrqjbvjjdlalrowy.exe
2756	wruhbcxrndfblcpxwgkfi.exe
5460	vhhorpeefrr.exe
1564	vhhorpeefrr.exe
5236	hbdpiicvqfgbkamtradx.exe
4892	wruhbcxrndfblcpxwgkfi.exe
708	wruhbcxrndfblcpxwgkfi.exe
4896	arqzpmdtlxvntgpto.exe
5816	arqzpmdtlxvntgpto.exe
4900	hbdpiicvqfgbkamtradx.exe
2996	vhhorpeefrr.exe
5540	vhhorpeefrr.exe
5660	vhhorpeefrr.exe
5504	vhhorpeefrr.exe
5352	hbdpiicvqfgbkamtradx.exe
5580	wruhbcxrndfblcpxwgkfi.exe
4248	vhhorpeefrr.exe
1968	tjhpeaqfwhevamux.exe
3912	unozrqjbvjjdlalrowy.exe
1468	tjhpeaqfwhevamux.exe
412	vhhorpeefrr.exe
5572	arqzpmdtlxvntgpto.exe
5064	vhhorpeefrr.exe
5196	unozrqjbvjjdlalrowy.exe
2636	jbblcasjcpohocmrnu.exe
5036	vhhorpeefrr.exe
1332	wruhbcxrndfblcpxwgkfi.exe
5768	tjhpeaqfwhevamux.exe
4116	tjhpeaqfwhevamux.exe
5228	vhhorpeefrr.exe
2768	tjhpeaqfwhevamux.exe
6104	arqzpmdtlxvntgpto.exe
708	jbblcasjcpohocmrnu.exe
1840	jbblcasjcpohocmrnu.exe
5944	wruhbcxrndfblcpxwgkfi.exe
3908	vhhorpeefrr.exe
6100	hbdpiicvqfgbkamtradx.exe
5888	vhhorpeefrr.exe
2864	vhhorpeefrr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	hnbzeq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	hnbzeq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	hnbzeq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	hnbzeq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	hnbzeq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	hnbzeq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "unozrqjbvjjdlalrowy.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "tjhpeaqfwhevamux.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "tjhpeaqfwhevamux.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrhhockr = "jbblcasjcpohocmrnu.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "arqzpmdtlxvntgpto.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "hbdpiicvqfgbkamtradx.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "jbblcasjcpohocmrnu.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "wruhbcxrndfblcpxwgkfi.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "hbdpiicvqfgbkamtradx.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrhhockr = "unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "hbdpiicvqfgbkamtradx.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbdpiicvqfgbkamtradx.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "jbblcasjcpohocmrnu.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "hbdpiicvqfgbkamtradx.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "hbdpiicvqfgbkamtradx.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "wruhbcxrndfblcpxwgkfi.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrhhockr = "hbdpiicvqfgbkamtradx.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbblcasjcpohocmrnu.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrhhockr = "unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "hbdpiicvqfgbkamtradx.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "unozrqjbvjjdlalrowy.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "hbdpiicvqfgbkamtradx.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jrhhockr = "hbdpiicvqfgbkamtradx.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrdz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe"	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdvxgwgpaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjhpeaqfwhevamux.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqzpmdtlxvntgpto.exe ."	hnbzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajabjyhpz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unozrqjbvjjdlalrowy.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wbolp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wruhbcxrndfblcpxwgkfi.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrdz = "wruhbcxrndfblcpxwgkfi.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubqpvip = "unozrqjbvjjdlalrowy.exe"	hnbzeq.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hnbzeq.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hnbzeq.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	www.whatismyip.ca
37	whatismyipaddress.com
49	whatismyip.everdot.org
50	www.whatismyip.ca
54	whatismyip.everdot.org
56	www.whatismyip.ca
30	whatismyip.everdot.org
31	www.showmyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wbolpafjppbhbczrauinaxbmrvb.ntn	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	hnbzeq.exe
File opened for modification	C:\Windows\SysWOW64\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wbolpafjppbhbczrauinaxbmrvb.ntn	hnbzeq.exe
File created	C:\Program Files (x86)\wbolpafjppbhbczrauinaxbmrvb.ntn	hnbzeq.exe
File opened for modification	C:\Program Files (x86)\tjhpeaqfwhevamuxrwvljrgcshyjgxcowztyxn.tie	hnbzeq.exe
File created	C:\Program Files (x86)\tjhpeaqfwhevamuxrwvljrgcshyjgxcowztyxn.tie	hnbzeq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamuxrwvljrgcshyjgxcowztyxn.tie	hnbzeq.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	hnbzeq.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	hnbzeq.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	hnbzeq.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	hnbzeq.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	hnbzeq.exe
File opened for modification	C:\Windows\njnbwyupmdgdoguddotpth.exe	hnbzeq.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	hnbzeq.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\wruhbcxrndfblcpxwgkfi.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	hnbzeq.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	hnbzeq.exe
File created	C:\Windows\wbolpafjppbhbczrauinaxbmrvb.ntn	hnbzeq.exe
File opened for modification	C:\Windows\arqzpmdtlxvntgpto.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\hbdpiicvqfgbkamtradx.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\jbblcasjcpohocmrnu.exe	hnbzeq.exe
File opened for modification	C:\Windows\unozrqjbvjjdlalrowy.exe	hnbzeq.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjhpeaqfwhevamux.exe	vhhorpeefrr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhhorpeefrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdpiicvqfgbkamtradx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbblcasjcpohocmrnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wruhbcxrndfblcpxwgkfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhpeaqfwhevamux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqzpmdtlxvntgpto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unozrqjbvjjdlalrowy.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
1692	hnbzeq.exe
1692	hnbzeq.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	hnbzeq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 5252	5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	89
PID 5616 wrote to memory of 5252	5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	89
PID 5616 wrote to memory of 5252	5616	JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe	89
PID 5412 wrote to memory of 3980	5412	cmd.exe	94
PID 5412 wrote to memory of 3980	5412	cmd.exe	94
PID 5412 wrote to memory of 3980	5412	cmd.exe	94
PID 3944 wrote to memory of 5768	3944	cmd.exe	97
PID 3944 wrote to memory of 5768	3944	cmd.exe	97
PID 3944 wrote to memory of 5768	3944	cmd.exe	97
PID 5768 wrote to memory of 3948	5768	jbblcasjcpohocmrnu.exe	102
PID 5768 wrote to memory of 3948	5768	jbblcasjcpohocmrnu.exe	102
PID 5768 wrote to memory of 3948	5768	jbblcasjcpohocmrnu.exe	102
PID 4848 wrote to memory of 6072	4848	cmd.exe	104
PID 4848 wrote to memory of 6072	4848	cmd.exe	104
PID 4848 wrote to memory of 6072	4848	cmd.exe	104
PID 4228 wrote to memory of 3240	4228	cmd.exe	107
PID 4228 wrote to memory of 3240	4228	cmd.exe	107
PID 4228 wrote to memory of 3240	4228	cmd.exe	107
PID 5564 wrote to memory of 5836	5564	cmd.exe	110
PID 5564 wrote to memory of 5836	5564	cmd.exe	110
PID 5564 wrote to memory of 5836	5564	cmd.exe	110
PID 3240 wrote to memory of 4892	3240	hbdpiicvqfgbkamtradx.exe	173
PID 3240 wrote to memory of 4892	3240	hbdpiicvqfgbkamtradx.exe	173
PID 3240 wrote to memory of 4892	3240	hbdpiicvqfgbkamtradx.exe	173
PID 1392 wrote to memory of 392	1392	cmd.exe	112
PID 1392 wrote to memory of 392	1392	cmd.exe	112
PID 1392 wrote to memory of 392	1392	cmd.exe	112
PID 4400 wrote to memory of 4444	4400	cmd.exe	115
PID 4400 wrote to memory of 4444	4400	cmd.exe	115
PID 4400 wrote to memory of 4444	4400	cmd.exe	115
PID 392 wrote to memory of 1272	392	wruhbcxrndfblcpxwgkfi.exe	118
PID 392 wrote to memory of 1272	392	wruhbcxrndfblcpxwgkfi.exe	118
PID 392 wrote to memory of 1272	392	wruhbcxrndfblcpxwgkfi.exe	118
PID 4160 wrote to memory of 3148	4160	cmd.exe	119
PID 4160 wrote to memory of 3148	4160	cmd.exe	119
PID 4160 wrote to memory of 3148	4160	cmd.exe	119
PID 3148 wrote to memory of 1172	3148	wruhbcxrndfblcpxwgkfi.exe	120
PID 3148 wrote to memory of 1172	3148	wruhbcxrndfblcpxwgkfi.exe	120
PID 3148 wrote to memory of 1172	3148	wruhbcxrndfblcpxwgkfi.exe	120
PID 5252 wrote to memory of 1692	5252	vhhorpeefrr.exe	122
PID 5252 wrote to memory of 1692	5252	vhhorpeefrr.exe	122
PID 5252 wrote to memory of 1692	5252	vhhorpeefrr.exe	122
PID 5252 wrote to memory of 5208	5252	vhhorpeefrr.exe	123
PID 5252 wrote to memory of 5208	5252	vhhorpeefrr.exe	123
PID 5252 wrote to memory of 5208	5252	vhhorpeefrr.exe	123
PID 3812 wrote to memory of 4796	3812	cmd.exe	129
PID 3812 wrote to memory of 4796	3812	cmd.exe	129
PID 3812 wrote to memory of 4796	3812	cmd.exe	129
PID 3352 wrote to memory of 3664	3352	cmd.exe	369
PID 3352 wrote to memory of 3664	3352	cmd.exe	369
PID 3352 wrote to memory of 3664	3352	cmd.exe	369
PID 2608 wrote to memory of 3880	2608	cmd.exe	326
PID 2608 wrote to memory of 3880	2608	cmd.exe	326
PID 2608 wrote to memory of 3880	2608	cmd.exe	326
PID 1768 wrote to memory of 2860	1768	cmd.exe	136
PID 1768 wrote to memory of 2860	1768	cmd.exe	136
PID 1768 wrote to memory of 2860	1768	cmd.exe	136
PID 3880 wrote to memory of 4440	3880	jbblcasjcpohocmrnu.exe	146
PID 3880 wrote to memory of 4440	3880	jbblcasjcpohocmrnu.exe	146
PID 3880 wrote to memory of 4440	3880	jbblcasjcpohocmrnu.exe	146
PID 2860 wrote to memory of 6048	2860	unozrqjbvjjdlalrowy.exe	405
PID 2860 wrote to memory of 6048	2860	unozrqjbvjjdlalrowy.exe	405
PID 2860 wrote to memory of 6048	2860	unozrqjbvjjdlalrowy.exe	405
PID 2104 wrote to memory of 3760	2104	cmd.exe	155

System policy modification 1 TTPs 58 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hnbzeq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hnbzeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
  "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\hnbzeq.exe
    "C:\Users\Admin\AppData\Local\Temp\hnbzeq.exe" "-C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\hnbzeq.exe
    "C:\Users\Admin\AppData\Local\Temp\hnbzeq.exe" "-C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5412
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Executes dropped EXE
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5564
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  - Executes dropped EXE
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  - Executes dropped EXE
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    - Executes dropped EXE
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:1996
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:5928
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3068
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6064
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  - Executes dropped EXE
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    - Executes dropped EXE
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3856
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    - Executes dropped EXE
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:3244
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  - Executes dropped EXE
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:5888
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:4156
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:4652
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    - Executes dropped EXE
    PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    - Executes dropped EXE
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  - Executes dropped EXE
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3584
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  - Executes dropped EXE
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:1376
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    - Executes dropped EXE
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:2608
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:5152
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  - Executes dropped EXE
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:5544
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  - Executes dropped EXE
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:2992
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Executes dropped EXE
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:5060
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:5192
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1564
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Executes dropped EXE
    PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:4140
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:1388
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  - Executes dropped EXE
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:4852
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2928
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5564
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:4532
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5824
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:3960
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:1116
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:2380
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:3880
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4328
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:3528
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:4536
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1604
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:5548
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:5792
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:2212
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:5300
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5360
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:2880
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3152
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:5608
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:2056
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5468
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:6080
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3980
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:3536
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:1576
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:4620
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:2784
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:2172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5504
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:1560
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5572
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:4084
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3880
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:768
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:2668
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:2496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4836
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3496
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3704
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:5584
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3172
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:5444
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:924
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:684
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  - Checks computer location settings
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:1612
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5196
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4448
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5388
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:3708
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:3616
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:3092
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  - Checks computer location settings
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:1968
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:5228
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3632
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:5108
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:1784
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:5404
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:5396
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:5144
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:1952
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4164
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:5364
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:1988
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:2416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:2784
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:4636
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:3808
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:6128
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5180
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:2620
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5284
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:3864
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:4500
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:452
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:4140
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:2868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4912
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:1820
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:5364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5032
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:3168
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:1128
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:4644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2980
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:1272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1332
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:1468
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2156
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:1792
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:404
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:2628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5524
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5608
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:1684
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5660
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4516
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:3916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4120
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:224
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:6020
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:3924
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3512
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:5092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:4408
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:640
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:4800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3168
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2504
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:3536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5876
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:1972
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4332
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3032
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3812
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:5228
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:3040
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:4836
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5444
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:1988
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:1480
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:616
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:5336
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:5608
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3892
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:1044
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:5400
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:1232
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:2116
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:652
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:4160
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:2016
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:6032
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:4340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4520
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:2252
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:3648
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3820
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5580
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4532
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:3748
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:4836
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:856
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:3028
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:3536
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:3532
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:5520
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3600
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:5244
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:4640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4524
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:2444
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3056
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:6044
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:5892
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:2276
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:2456
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:924
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:5412
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:1744
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:6048
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:5316
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:2204
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:6000
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:5284
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:3820
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:5352
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:1516
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:5636
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:2116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:452
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:5228
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4816
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:2104
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5584
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe
1⤵
PID:4920
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:5316
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe
1⤵
PID:1368
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:5460
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:6000
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:5552
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:3848
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:3904
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe .
1⤵
PID:4780
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe .
  2⤵
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:2468
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:5864
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:4500
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:4644
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:2160
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:5012
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe .
  2⤵
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jbblcasjcpohocmrnu.exe*."
    3⤵
    PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:640
- C:\Windows\jbblcasjcpohocmrnu.exe
  jbblcasjcpohocmrnu.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe .
1⤵
PID:4740
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe .
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:376
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:4484
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\unozrqjbvjjdlalrowy.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:1272
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:5636
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:1968
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arqzpmdtlxvntgpto.exe .
1⤵
PID:4780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4792
- C:\Windows\arqzpmdtlxvntgpto.exe
  arqzpmdtlxvntgpto.exe .
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe .
  2⤵
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\tjhpeaqfwhevamux.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tjhpeaqfwhevamux.exe
1⤵
PID:1052
- C:\Windows\tjhpeaqfwhevamux.exe
  tjhpeaqfwhevamux.exe
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:4676
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  C:\Users\Admin\AppData\Local\Temp\unozrqjbvjjdlalrowy.exe
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3300
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:3752
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3924
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\wruhbcxrndfblcpxwgkfi.exe*."
    3⤵
    PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:1928
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
1⤵
PID:3864
- C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  C:\Users\Admin\AppData\Local\Temp\tjhpeaqfwhevamux.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:2756
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:4516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe
1⤵
PID:3600
- C:\Windows\unozrqjbvjjdlalrowy.exe
  unozrqjbvjjdlalrowy.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:992
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\hbdpiicvqfgbkamtradx.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:1620
- C:\Windows\wruhbcxrndfblcpxwgkfi.exe
  wruhbcxrndfblcpxwgkfi.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\arqzpmdtlxvntgpto.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
  C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe .
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3524
- C:\Windows\hbdpiicvqfgbkamtradx.exe
  hbdpiicvqfgbkamtradx.exe .
  2⤵
  PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  C:\Users\Admin\AppData\Local\Temp\jbblcasjcpohocmrnu.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jbblcasjcpohocmrnu.exe
1⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
1⤵
PID:508
- C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe
  C:\Users\Admin\AppData\Local\Temp\arqzpmdtlxvntgpto.exe .
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unozrqjbvjjdlalrowy.exe .
1⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wruhbcxrndfblcpxwgkfi.exe
1⤵
PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe .
1⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hbdpiicvqfgbkamtradx.exe
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry